Juniper and Cisco equipment appears to be susceptible to Heartbleed bug

Network equipment from Cisco and Juniper appears to be vulnerable to the Heartbleed bug in OpenSSL, where clients can read part of the server memory. Meanwhile, the developer who probably introduced the bug claims that it is not an intentional error.

Cisco has confirmed that 16 of its routers, switches and IP phones are vulnerable to the OpenSSL bug; at least sixty other products are still being investigated to see whether they are vulnerable. Equipment from competitor Juniper is also vulnerable to the Heartbleed bug, according to the American newspaper The Wall Street Journal.

Many websites that were vulnerable have rolled out OpenSSL patches in recent days to protect themselves. Security researchers recommend that users do not change passwords on affected websites until the patch is installed; otherwise, a password change can potentially also be read by malicious parties.

Meanwhile, the developer who probably introduced the bug claims that it is not an intentional error. He calls the mistake ‘trivial’, although he acknowledges its serious impact. “I forgot to validate a variable that contains a length,” the developer, Robin Segelmann, told the Sidney Morning Herald. The error was also not noticed when inspecting code.

Ars Technica previously reported that the bug may have been exploited by the OpenSSL team two months before discovery. The Electronic Frontier Foundation wonders if intelligence agencies were behind it. One of the IP addresses allegedly used to exploit the bug is said to be part of a botnet that tries to record all conversations on FreeNode; according to the EFF, that’s not something a normal internet criminal would do.

The Heartbleed bug allows attackers to read the memory of a server running OpenSSL, in chunks of 64 kilobytes. Because the internal memory is read, private keys can be read, among other things, as well as decrypted passwords. Security guru Bruce Schneier calls the vulnerability “on a scale of 1 to 10 an 11.”