Love Hurts: 12 Networking Vendors Hit By Heartbleed
Heartbleed Has System Admins On Full Alert
The OpenSSL open-source implementation of the SSL and TLS protocols is used in a wide variety of networking equipment, giving networking teams a laundry list of systems that need updating after the discovery of the Heartbleed bug. The OpenSSL Project issued an update repairing the vulnerability, but impacted network device makers are issuing patches to update their OpenSSL implementations. Networking security vendors also have released rules to detect an attack attempting to exploit the vulnerability. Here are 12 high-profile networking vendors impacted by the Heartbleed bug.
Aruba Networks
Aruba issued an advisory alerting customers that its ArubaOS and ClearPass software contained the OpenSSL vulnerability. The company found the Heartbleed error in ArubaOS versions 6.3.x, 6.4.x and ClearPass versions 6.1.x, 6.2.x, 6.3.x and issued patches. "We recommend that all customers upgrade to these versions immediately," Aruba said in its advisory.
Blue Coat Systems
A Blue Coat Systems advisory said its content analysis system, malware analysis appliance, ProxyAV, ProxySG and SSL Visibility software are vulnerable to the Heartbleed bug and issued a patch for ProxySG. The company said its engineering team is working on a fix for the other products. Workarounds may be applied to downgrade to a previous version that is not vulnerable, according to Blue Coat.
Cisco Systems
Cisco issued an advisory on the Heartbleed bug, alerting customers that it confirmed the flaw in 16 of its products. The company is now investigating the potential for the vulnerability in more than 60 other networking products. Confirmed products include the AnyConnect Secure Mobility Client, Unifed IP phones and Telepresence Video Communications Server, MS200X Ethernet Access Switch and WebEx Meetings Server versions 2.x. Software updates also have been issued for confirmed devices. The company issued intrusion detection system rules to detect attacks targeting the error and said it would update its advisory as additional information becomes available.
Check Point Software Technologies
Check Point issued an alert indicating that most of its security appliances were free from the vulnerability. The company is still investigating its Check Point Mobile VPN for iOS and Android. Check Point issued rules for its security gateway appliances to detect and block attempts to exploit the vulnerability.
F5 Networks
F5 Networks said it detected the OpenSSL vulnerability in the management interface of some of its Big-IP Edge Gateway appliances. In its advisory, the company said its Big-IP Edge Client for Windows, Mac OS and Linux was vulnerable and could enable an attacker to retrieve sensitive information from the Big-IP Edge Client when it connects to a compromised FirePass or Big-IP APM system or if "an attacker deceives the user into connecting the Edge Client to a malicious SSL server." The company also told administrators to ensure that the management interface is not exposed to a public-facing network.
Fortinet
Fortinet said its FortiGate appliances that run FortiOS 5.0 and higher were vulnerable to the OpenSSL bug. In its advisory it also indicated that it found the Heartbleed flaw in FortiAuthenticator, FortiMail, FortiVoice and FortiRecorder appliances. The company issued a software update to FortiOS 5.0, fixing the issue in 5.0.7. Fortinet’s traffic management subsidiary, Coyote Point, said its Equalizer and FortiADC-E software releases were vulnerable to the error as well.
Hewlett-Packard
HP said in an advisory (.PDF) that many of its products were not impacted by the OpenSSL bug but that some equipment was still under investigation. The company said its Virtual Application Networks SDN controller runs on an Ubuntu host operating environment and certain versions of Ubuntu -- including version 12.04 LTS, which is compatible with the Virtual Application NetworksSDN controller -- have been identified as vulnerable.
IBM
IBM's Product Security Incident Response Team issued an alert indicating that its engineering team is analyzing the company's products and urged users to monitor the support portal. IBM said it issued intrusion protection signatures to detect attacks attempting to exploit the OpenSSL flaw.
Juniper Networks
A Juniper advisory said Junos OS 13.3R1 wa vulnerable to the OpenSSL vulnerability. In its advisory, the company also confirmed the flaw in its Odyssey client, SSL VPN, Unified Access Control server, and Junos Pulse desktop and mobile software in certain instances. The company released signatures to detect an attacker attempting to exploit the vulnerability. "We consider this to be a critical issue. The sensitive information potentially exposed by this issue can be leveraged to further compromise the system," Juniper said. "Exploits are known to exist in the wild."
Sophos
Sophos issued an alert indicating that it detected the Heartbleed coding error in versions 9.1 and 9.2 of its unified threat management appliance (formerly Astaro). The company issued an update repairing the vulnerability. Sophos said its UTM Manager version 4.1 also was affected by the flaw and a fix is being released as soon as possible.
VMware
An advisory issued by VMware indicated that nearly 30 of its products were shipped with the vulnerability. Some of the impacted software includes the company's ESXi hypervisor software, Horizon Workspace line, vCloud Networking and Security software-defined networking software and vCenter Server software. "VMware is working on updating its products to remediate the issue," the company said. Deploying vSphere 5.5 on an isolated network will minimize exposure to the threat, according to VMware.
WatchGuard Technologies
WatchGuard said its XTM and XCS appliances were affected by the OpenSSL vulnerability. The flaw impacted versions 11.8x of XTM and a security update will be released shortly, said Corey Nachreiner, director of security strategy, in a blog post. XCS appliances only would be affected if SecureMail was also being used, Nachreiner said. WatchGuard’s SSL VPN appliances were not affected by because they use older versions of OpenSSL, he said.