Heartbleed developer speaks as security flaw found in Cisco and Juniper gear

By Graeme Burton
11 Apr 2014 View Comments
A Cisco logo

Networking equipment from Cisco Systems and Juniper Networks were both compromised by flawed OpenSSL code, the equipment vendors have confirmed.

The vendors say that it affects routers, switches and firewall software and hardware. The news that the security flaw has been found in networking hardware from the two biggest vendors dramatically escalates the seriousness of the situation, and the complexity of the products means that it will take more time to implement fixes.

Further reading

"It doesn't sound like a flip-the-switch sort of thing," Juniper spokesman Corey Olfert told the Wall Street Journal. "I don't know how quickly they can be resolved."

Juniper says that it issued a patch for the most vulnerable products earlier this week, which included a fix for the flawed OpenSSL code. This patch is intended to secure virtual private networking (VPN) features in its products, although other products and functions remain exposed. Cisco, meanwhile, has told users to keep an eye on its website for updates.

Cisco's current advisory, including a full list of affected products, can be found here. It has offered users software that will enable them to detect whether hackers are seeking to exploit the bug on their network.

Other organisations affected by the flaw include Yahoo's Flickr and Tumblr websites and the Duckduckgo secure search site, which potentially exposed users' search strings.

The developer responsible for the 'Heartbleed' security flaw in the OpenSSL stack has expressed his "regret" for the oversight but denied that it was due to a rush to submit the code before the 2012 New Year celebrations - the code was only submitted on 11.59pm on New Year's Eve in 2011.

The programmer, Robin Seggelmann, based in Germany, said that the software had been developed over a number of weeks.

"I am responsible for the error," he told The Guardian newspaper, "because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version."

Seggelmann had developed the software for a function called Heartbeat in OpenSSL, which contained the flawed code. He worked on the OpenSSL project for four years, between 2008 and 2012, while working on his doctorate, but is no longer involved.

However, other coders and organisations have blamed the open source project itself for the error, saying that they laid themselves wide open by using a memory management technique they developed themselves instead of using the standard memory management facilities of the operating system.

Reader comments
blog comments powered by Disqus
Newsletters
Is it time to open Windows?

Computing believes that Microsoft will start offering Windows free of charge by 2017. Is this a good thing for the enterprise?

55 %
19 %
6 %
15 %
5 %