Network equipment vendors Cisco and Juniper are sharing information about their vulnerability to Heartbleed, the software security flaw that could enable hackers to steal passwords and other encrypted data from many of the servers on the Internet.
Cisco says that many of its products “incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.” The networking giant plans to release free software updates to address the vulnerabilities. The company has created a website to post updates, workarounds, and advisories about which specific software may be affected.
Cisco says its Computer Security Incident Response Team (CSIRT) is investigating Cisco public facing infrastructure that could be susceptible to Heartbleed. In addition, the company is highlighting its own security solutions which can provide visibility into and protection against Heartbleed vulnerability: Sourcefire Next-Generation Intrusion Prevention System (NGIPS) and Cisco Intrusion Prevention System (IPS).
Juniper has listed specific products that may be impacted by Heartbleed, and has posted fixes for some of the affected products.
The Junos Pulse mobile security suite is one of the Juniper products that is vulnerable to Heartbleed. Junos Pulse is a mobile device management solution that offers IT managers a streamlined user interface for the management of virtual private networks and the mobile devices that connect to these networks. The company says that users can decrease their risk by upgrading to 5.0R3 if possible. Junos Pulse for Android version 5.0R3 (44997) is available for download from the Google Play Store. The company says it is working on the Samsung Android variant and the iOS variant of the updated software.
In addition, the company posted the following advisory for users of the Junos Pulse desktop client: Upgrade Junos Pulse clients to versions 5.0R3.1 or 4.0R9.2 using your chosen method of Junos Pulse deployment (through Web browser when users log-in to their SSL VPN session or through software distribution infrastructure). If you used Pulse Client Version 4.0R9.1 – make sure you upgrade to Pulse Client 4.0R9.2.
