So far we have discussed the Heartbleed vulnerability by not investigating which are the products on the market that really are suffering it. We realized that the Heartbleed vulnerability potentially allows any attacker to access any encrypted data stream regardless of the application that uses it, in my previous post I exposed the statistics on its diffusion to understand the impact on the IT community.
Solution providers have started to evaluate the impact of the Heartbleed vulnerability on their products and the results are disconcerting, the giants BlackBerry and Cisco have discovered that a numerous of their products are affected by Heartbleed vulnerability.
Cisco announced that numerous products are potentially vulnerable and are currently under investigation, Cisco products are a privileged target for a cyber espionage campaign and a flaw in its systems may have been exploited to gather information from targeted systems.
What information can be stolen by exploiting the flaw?
The Cisco Sourcefire Vulnerability Research Team tested the presence of Heartbleed vulnerability in its products and it has found that exploiting the flaw it could retrieve users’ credentials (e.g. username, password) and SSL certificates.
Cisco informed its customers with a public advisory that many of its products, including its TelePresence Video Communications Server, WebEx Meetings Server, many of its Unified IP phones and several others, are vulnerable.
“Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.”
If you navigate on the page of the advisory you can verify that the list of affected products is very long, and the worrying news is that those systems are usually adopted by many large enterprises and government entities, a circumstance that raise many concerns on the possibility that someone may have exploited the Heartbleed vulnerability for a long time collecting sensitive information.
“Heartbleed is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1f. If you have not upgraded to OpenSSL 1.0.1g or installed a version of OpenSSL with
-DOPENSSL_NO_HEARTBEATSit is strongly recommended that you do so immediately. This vulnerability allows the attacker to read up to 64KB of heap memory from the victim without any privileged information or credentials. How is this possible? In short, OpenSSL’s heartbeat processing functions use an attacker controlled length for copying data into heartbeat responses. Both DTLS and TLS heartbeat implementations are vulnerable.” Brandon Stultz of Cisco wrote in a blog post.
As announced also BlackBerry announced that several of its products are vulnerable to the Heartbleed vulnerability, but it remarked that its phones and devices are not affected.
BBM for iOS and Android, Secure Workspace for iOS and Android and BlackBerry Link for Windows and OS X all are vulnerable to the OpenSSL flaw.
“BlackBerry is currently investigating the customer impact of the recently announced OpenSSL vulnerability. BlackBerry customers can rest assured that while BlackBerry continues to investigate, we have determined that BlackBerry smartphones, BlackBerry Enterprise Server 5 and BlackBerry Enterprise Service 10 are not affected and are fully protected from the OpenSSL issue. A list of known affected and unaffected products is supplied in this notice, and may be updated as we complete our investigation,” states the official advisory issued by the company.
It is expected that many other vendors in the coming weeks will inform their customers that they were affected by the dreaded flaw.
(Security Affairs – Heartbleed vulnerability, Cisco, BlackBerry)