Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
 

Vendors Respond to Heartbleed with Security Updates

By - Source: Toms IT Pro

The OpenSSL heatbeat extension flaw, dubbed "Heartbleed," allows an attacker to gain access to data on a connected desktop or server leaving no trace of the information they left with. OpenSSL has patched the bug, making the fix available to the global community. Unfortunately, that is not the end of the story, because as the authors of the site heartbleed.com note, "Individual vendors of operating system distributions, affected owners of Internet services, software packages and appliance vendors may issue their own advisories."

As that statement makes painfully clear, the burden to uncover what systems are impacted and then locate software patches to fix those systems lies with the affected organizations' Information Technology group.

Vendors are investigating their own software, servers, network appliances and everything in between to determine what products are vulnerable. Many vendors are posting bulletins, security advisories, and customer notices online with their findings and progress status.

For a comprehensive list of vendors and links to additional information, review the Vendor Information section on this CERT site. However, note that the CERT site states this is, "a list of vendors who may be affected by the vulnerability," and on at least one reference (Microsoft), the CERT site indicates, "No statement is currently available from the vendor regarding this vulnerability."

While that may be true, Microsoft has posted a blog entry regarding Microsoft Azure and Heartbleed (see below) so not all information may be up-to-date on the CERT site if vendors have not responded to inquiries.

Listed below are a few notable vendors who have responded to the OpenSSL bug problem:

Cisco -- At the time of this article, Cisco is on Revision 1.7 of their Advisory ID: cisco-sa-20140409-heartbleed that identifies affected products, workarounds, software versions and fixes, and other information including a list of products the company has confirmed are not vulnerable. The initial release of information started on April 9 and Cisco has continually provided regular updates.

Dell -- Posted a support site dedicated to Heartbleed remediation that shows a mix of both affected and non-affected hardware and software.

HP -- Posted individual customer notices that include (which, if HP is paying attention, makes it more difficult for users):

  • (c04237347) - HP Networking Communication: OpenSSL Heartbleed Vulnerability contains a long list of hardware platforms affected by the bug (see the list at the end of their notice).
  • (c04239413) - HP Servers Communication: OpenSSL "HeartBleed" Vulnerability contains a list of products that are NOT impacted by the bug as well as some products that are with links to those products Security Bulletins.
  •  (c04236062) for HP BladeSystem c-Class Onboard Administrator running OpenSSL and a site to download an OpenSSL Service Pack 1.0 (4/15/2014) that that affected.
  • (c04239372) for HP System Management Homepage (SMH) running OpenSSL on Linux and Windows.

Update: 4/21/2014
If you don't mind the extra emails, you can also subscribe to HP.com's newsletter by going to hp.com, click "Support", click "Support and Troubleshooting" and click "Sign up: driver, support and security alerts" (near bottom of page.)

IBM -- Posted a list of products on their IBM Product Security Incident Response blog with a comprehensive list of links to bulletins for both affected and non-affected products.

Juniper -- Issued an Out of Cycle Security Bulletin (CVE-2014-0160) that identifies their products affected by the OpenSSL Heartbleed flaw.

Microsoft -- Posted a blog titled "Information on Microsoft Azure and Heartbleed" for those who were concerned with Windows Azure. Microsoft also used the blog as an opportunity to state that Windows comes with its own encryption, which is not susceptible to the Heartbleed bug.

Red Hat Linux -- Reported in customer bulletin (CVE-2014-0160) that the bug has affected later versions of their Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1, that included OpenSSL version 1.0.1e. Red Hat additionally provides some "How to recover from the Heartbleed OpenSSL vulnerability" tips on their site.

Update: 4/18/2014
Puppet Labs
-- Released a video showing how to patch the Heartbleed OpenSSL vulnerability with Puppet Enterprise

Update: 4/21/2014
VMware
-- Posted a security advisory (VMSA-2014-0004.6) on updates that address OpenSSL security vulnerabilities.


There really is no good news coming out of this problem although OpenSSL attempts to put an optimistic spin on the situation by stating on the heartbleed.com site:

"For those service providers who are affected this is a good opportunity to upgrade security strength of the secret keys used. A lot of software gets updates which otherwise would have not been urgent. Although this is painful for the security community, we can rest assured that infrastructure of the cyber criminals and their secrets have been exposed as well."

My guess would be that it is more likely that many in the vendor, IT and security community who are putting in long hours would probably have preferred the much earlier exposure of the OpenSSL bug.

Even though remediation is part of the cost of doing business for tech vendors the severity and scope of this particular problem was probably not on any vendor's radar or in their budget. The cost of this will likely run into the tens if not hundreds of thousands of dollars in labor costs for companies the size of IBM, HP, and others. Any guess at this point of the cost to IT organizations globally would be absurdly low.

More on Heartbleed:

Comments