Vendors are continuing to check their products for potential effects from the OpenSSL heartbleed vulnerability, and both Cisco and BlackBerry have found that a variety of their products contain a vulnerable version of the software.

BlackBerry on Thursday said that several of its software products are vulnerable to the OpenSSL bug, but that its phones and devices are not affected. The company said its BBM for iOS and Android, Secure Workspace for iOS and Android and BlackBerry Link for Windows and OS X all are vulnerable to the OpenSSL flaw.

“BlackBerry is currently investigating the customer  impact of the recently announced OpenSSL vulnerability. BlackBerry customers can rest assured that while BlackBerry continues to investigate, we have determined that BlackBerry smartphones, BlackBerry Enterprise Server 5 and BlackBerry Enterprise Service 10 are not affected and are fully protected from the OpenSSL issue. A list of known affected and unaffected products is supplied in this notice, and may be updated as we complete our investigation,” the company’s advisory says.

Meanwhile, the list of Cisco products affected by the heartbleed vulnerability is much longer.

The company said in its advisory that many of its products, including its TelePresence Video Communications Server, WebEx Meetings Server, many of its Unified IP phones and several others, are vulnerable. Cisco also said that a far larger list of products are potentially vulnerable and are under investigation.

Cisco’s Sourcefire Vulnerability Research Team did some testing on the vulnerability and found that on vulnerable systems it could retrieve usernames, passwords and SSL certificates.

“To detect this vulnerability we use detection_filter (“threshold”) rules to detect too many inbound heartbeat requests, which would be indicative of someone trying to read arbitrary blocks of data. Since OpenSSL uses hardcoded values that normally result in a 61 byte heartbeat message size, we also use rules to detect outbound heartbeat responses that are significantly above this size. Note: you can’t simply compare the TLS record size with the heartbeat payload size since the heartbeat message (including the indicated payload size) is encrypted,” Brandon Stultz of Cisco wrote in a blog post.

 

Categories: Vulnerabilities, Web Security

Comments (2)

  1. jrousseau32@outlook.com
    1

    today’s world means that I have my credit report on speed dial.. and I’ll bet they are laughing all the way to the bank.

    Reply
  2. John Austin
    2

    Best practices documents from the NSA state that network management interfaces should not be accessible from the user side of networks. For example, access control lists can prevent the usual non-routable addresses from entering or leaving a network. Management networks can also be isolated from user traffic using VLANs.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>