Thursday, April 10, 2014

OpenSSL Heartbleed Vulnerability discovered

security_image.jpg
 
On April 7th there was a serious security flaw discovered with OpenSSL and the problem is being called “Heartbleed”. Some major companies have been affected by the security flaw including Google, AWS and Rackspace, which plan to release patches quickly to fix the issue. Any company that uses OpenSSL to terminate SSL connections could find themselves facing issues with Heartbleed. To be proactive to the growing news we’ve received statements from Peplink to inform customers that their routing platforms aren’t affected by the Heartbleed OpenSSL Flaw: 

Peplink/Pepwave Statement: 

“On April 7th, a serious security issue called "Heartbleed" in OpenSSL was made public. We have since reviewed our products and online services for the impact. 

Peplink has verified and confirmed that all of our products are not affected by this vulnerability - including Balance, MAX, FusionHub, AP One/Pro, Surf, Device Connector families. 

As for the online services, they are either unaffected or we have been able to apply mitigation to fully resolve the issue. 

There is no customer action required on your part. 

Thank you for your attention. 

The Peplink Team“

3Gstore.com Statement:

We have ran internal tests to check for the OpenSSL security vulnerability and passed the check. 3Gstore remains PCI Compliant and is unaffacted by the security flaw! When you shop with 3Gstore you can ensure that your data is safe and you'll experience a smooth transaction and speedy delivery of equipment.

Cradlepoint Statement: 

In response to the critical security vulnerability discovered in the OpenSSL cryptography software library (CVE-2014-0160), nicknamed “Heartbleed,” CradlePoint has taken steps to incorporate the OpenSSL version 1.0.1g into its latest firmware and Enterprise Cloud Manager. The purpose of this email is to inform you of the vulnerabilities and the steps necessary to remediate this issue.
If exploited, this vulnerability could allow attackers to monitor all information passed between a user and a web service or decrypt past traffic they’ve collected. More details can be found here: http://heartbleed.com

Affected Products
 
CradlePoint recommends immediately upgrading products to the upcoming firmware versions (available 4/14/14) in order to mitigate this vulnerability. The following are affected products (with firmware versions 4.2.0 and later): 

  • AER 2100
  • ARC MBR1400
  • MBR1400
  • MBR1200B
  • ARC CBA750B
  • CBA750B
  • COR IBR600
  • COR IBR650
  • CBR400
  • CBR450
  • MBR95 

WAN INTERFACES
 
On WAN interfaces routers were only exposed to risk under the following conditions:
1) Remote access is enabled (setting disabled by default)
2) AND remote administration access control is not enabled (setting disabled by default).
 
LAN INTERFACES
 
On LAN interfaces routers were only exposed under the following conditions:
If the network allows Admin Access, which is the default for the Primary LAN. Guest LAN default settings do not allow Admin Access and are not exposed to this vulnerability. Admin Access can be checked using the Network Settings / WiFi / Local Networks tab, listed for each network in the “Access Control” section. 

PLEASE NOTE: Product firmware is still affected by this bug and CradlePoint recommends firmware upgrades for all affected products.

Products Not Affected
  • CBA750 (prior version to CBA750B)
  • CTR35
  • CTR250
  • CTR350
  • CTR500
  • CX111 (Juniper)
  • MBR90
  • MBR800
  • MBR900
  • MBR1000
  • MBR1100
  • MBR1200 (prior version to CBA1200B
  • PHS300
  • PHS2000W 

Firmware Patch Available 4/14/2014
  • 5.1.1 – AER 2100, ARC MBR1400, MBR1400, MBR1200B, ARC CBA750B, CBA750B, COR IBR600, COR IBR650
  • 5.0.4 – MBR95 

Download the latest firmware (new versions available 4/14/14).

Sierra Wireless Statement:  
 
This bulletin provides information about the impact of CVE-2014-01601 on AirLink gateways.
 
AirLink gateways running ALEOS are not affected by the issue described in CVE-2014-0160. Known as 'Heartbleed'.
Update: You can use this website to check any server to see if they were inpacted by Heartbleed - http://filippo.io/Heartbleed/