
OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products  - 001sky
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
======
louwrentius
Some HP Storage appliances (SAN) like the MSA P2000 G3 is also vulnerable.

Everything is suspect. We are a HP shop and I wonder if the switches are
affected too, but we are too stupid to have them configured with SSL.

APC UPS, HVAC, etc.

This all goes to show: make sure that you have a special management network
separate from the rest of your infrastructure that is only accessible for
sysadmins, through a trusted console server.

------
curiouscats
I am by no means even competent at network security; I am curious why articles
like
[http://online.wsj.com/news/articles/SB1000142405270230387360...](http://online.wsj.com/news/articles/SB10001424052702303873604579493963847851346)
seem to imply companies will have to physically replace network gear?

I would think software updates would allow the code to be updated.

Even if somehow they were worried the attacker has gained access and done
things that might be a security problem can't you essentially reset the
software and start from scratch if you couldn't trust you could find changes
that were made, accounts added…? Maybe that shows how naive I am about network
hardware?

~~~
jlgaddis
I can't read the article but it's possibly because there is a _LOT_ of EoL
network gear still out there that won't be getting updated software.

~~~
sspiff
The bug has "only" been present for 3 years. I think no enterprise appliance
new enough to ship with an affected OpenSSL version is old enough to be EoL.

~~~
jlgaddis
You're probably right, but what about pre-existing kit that received an update
that included the b0rked version of SSL and went EoL since?

I haven't kept up on what version of FreeBSD is being used as the basis of
JunOS nowadays but I would not be surprised to hear of EoL Juniper kit that
included the flawed code. (I have no evidence that JunOS includes OpenSSL code
but I assume that it does.)

------
seldo
Can somebody more familiar with Cisco products look at the list and break this
down a bit? Are these mostly edge-of-network devices, or are these big
switches that tons of traffic run through?

Does being vulnerable to Heartbleed necessarily mean traffic through these
boxes is vulnerable?

~~~
dmix
That depends, can the routers be accessed remotely over WAN?

If so an admin password might pop up in memory scans allowing a compromise.
From there remote software can be downloaded to the router, potentially
allowing snooping/mirroring of traffic.

But it's likely most of the them (ie the important ones) are behind local
firewalls and VPNs.

~~~
rdl
Except, uh, their VPN client software :)

And a lot of their WebEx, VoIP and VTC, which will be accessible either
entirely within the organization, or on public networks.

Looks like most of their actual routers and stuff are _not_ affected, which is
unsurprising -- they SSH, not SSL, and it's unlikely they'd be running OpenSSL
1.0.1.

