Network equipment from Cisco and Juniper appears vulnerable to the Heart Bleed bug in OpenSSL, which clients establish a portion of the server memory to read. Meanwhile, the developer that the bug has probably introduced that it is not an intentional error.
Cisco has confirmed that sixteen of its routers, switches and IP phones are vulnerable to the bug in OpenSSL; at least sixty other products are still investigating whether they are vulnerable. Even rival Juniper equipment is according to the American newspaper The Wall Street Journal Heart Bleed vulnerable to the bug.
Many Web sites that were vulnerable have in recent days OpenSSL patches rolled out to protect themselves. Security researchers recommend users to change when the patch is installed passwords on affected sites only; otherwise a password change also potentially by malicious users to read.
Meanwhile, the developer that the bug has probably introduced that it is not an intentional error. He calls the error ‘trivial’, though he recognizes the serious impact. “I forgot to take a variable that contains validate a length”, says the developer, Robin Segelmann against the Sydney Morning Herald. The error was not noticed when inspecting code.
Ars Technica reported earlier that the bug may have two months before discovery is abused. By the OpenSSL team The Electronic Frontier Foundation is asking themselves if intelligence were behind it. One of the IP addresses that could be used to exploit the bug would be part of a botnet that all conversations on Freenode try to save; according to the EFF’s not something a normal cyber criminal would.
The Heart Bleed bug allows attackers to read in chunks of 64 kilobytes. From the memory of a server with OpenSSL Because the internal memory is read, while private keys can be read, as well as decrypted passwords. Include Security guru Bruce Schneier calls the vulnerability “on the scale of 1 to 10 a 11.