It has been reported today that the recently found Heartbleed Bug within the OpenSSL encryption code, as now also been found to be affecting routers and has been discovered in Cisco routers and Juniper devices.
The security breach in the OpenSSL encryption code was reported on Monday and many website such as Amazon, Yahoo and Netflix, to name a few have wasted no time upgrading their SSL certificates and security.
However Cisco said the Heartbleed security flaw affects routers, switches and firewalls often used by businesses, making them harder to fix with businesses less likely to check the status of their networks. Cybersecurity researcher and cryptographer Bruce Schneier explained : “The upgrade path is going to involve a trash can, a credit card, and a trip to Best Buy.”
For more information on the new Cisco Heartbleed Bug jump over to the Cisco website for details and to download a tool to help check your equipment. Cisco explains:
“Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.
The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or Datagram Transport Layer Security (DTLS) client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client.
An exploit could send a specially crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords.”
Linksys posted a bulletin on their website stating: ” We are aware of the Heartbleed OpenSSL vulnerability, however after thorough testing of our product lines, we can confirm that our routers are not impacted. Linksys routers do use OpenSSL, however our product line uses another version that is not impacted by this vulnerability.”