New
#1
Ummm ... Are generic modem-routers affected too? Because, that's what I use to connect the whole home network with!
SourceThe Heartbleed Internet security bug is shaping up to be worse than researchers first realized, possibly compromising routers and other networking infrastructure for a variety of companies.
Cisco, one of the world’s top networking equipment manufacturers, confirmed Thursday that it’s investigating dozens of its routers and video teleconferencing devices and software for the Heartbleed vulnerability. Juniper Networks, another top networking company, has also alerted clients some of its equipment has been compromised by Heartbleed. A message posted to Juniper’s service website Friday said many of its systems would be offline through Saturday while the company performs maintenance.
A Guy
Ummm ... Are generic modem-routers affected too? Because, that's what I use to connect the whole home network with!
It's mostly enterprise routers it seems. Juniper and Cisco have lists
The Heartbleed bug is affecting routers, too
Heartbleed bug affects gadgets everywhere - Apr. 11, 2014
Heartbleed Bug Is Also Affecting RoutersLinksys posted a bulletin on their website stating: ” We are aware of the Heartbleed OpenSSL vulnerability, however after thorough testing of our product lines, we can confirm that our routers are not impacted. Linksys routers do use OpenSSL, however our product line uses another version that is not impacted by this vulnerability.”
A Guy
What about us normal residential users? Does it say its affecting those types of routers as well?
As I posted above, those 3 manuf. are only ones listing so far. Most of those are enterprise. Doesn't mean our home devices are secure. A Guy
The vulnerable version of OpenSSL was released about two years ego. Provided your router's firmware is older than two years and had not been updated, your router is not vulnerable to this bug. Regardless what the manufacturer/OEM might be...
Activating stealth mode for the router's external interface, a.k.a. block any request initiated from the outside to this interface, would be one of the mitigating measures that you can take if the router is vulnerable to this bug. At least until the updated firmware is available.
I got the same eMail, was going to post it, as you did... about the same time you did, but after some research, I decided just to delete the msg.
If you roll over the links in the eMail, they all point to response.nortonfromsymantec.com - this concerned me. The other fishy thing was the domain checking (bad) in the msg header.
It took about an hour to fins that nortonfromsymantec.com is a URL Norton uses to market their product.
Norton support: Is this email that I received from Norton legitimate?
Lots of the same questions over on the norton boards : E-mail from Norton about Heartbleed legitimate? - Norton Community
Bugged the hell out of me since I can't recall the last time I used Norton or gave them my eMail address.
Now the logical thing to do would be to unsubscribe from Norton Marketing.... tried one time, but it requires a login - beats me what I used way back when. There are other means to unsubscribe (postMail, POTS, eMail, online contact).....the privacy policy is very looooong
Privacy | Symantec
Anyway, thanks for posting this, I'm still not 100% certain that it is legit.
Best practice - trash anything that smells funny and then take out the trash.
Bill
.
heartbleed.com said:
openSSL.org said:
You can check your home router using the Win7 Telnet client
Directions compliments of Austek (modified to fit your screen)
How to check the OpenSSL version.
1: Enable the telnet in firmware of your router
2: Enable the Telnet client in Win7
*Telnet is disabled by default in Win7. See: Windows 7: Enabling Telnet Client - TechNet Articles
3: Telnet into router
Elevated command Prompt
Telnet
open 192.168.1.1 (or your router address)
answer the login prompts
Enter the command
openssl version -a4: close
the connection
5: quit
Telent
6: exit
Command Prompt
..........
The router I have returned an error on the openssl version -a command - a not found error I suppose.
More information from Asustek:
The vulnerable OpenSSL libraries are 1.0.1 through 1.0.1 f.
(1) Before last week, Asustek firmware used OpenSSL 1.0.0 b, in two-three weeks the firmware OpenSSL library will upgrade to 1.0.1 g (the g rls is the patched version)
(2) ASUS router use OpenSSL for HTTPS login and smart sync with asuswebsotage
(3) Refer to the Heartbleed Bug, and https://www.openssl.org/news/secadv_20140407.txt
(which is where I found the above info)
1.0.0 branch is NOT vulnerable
(Note: Emphasis and parenthetical notes are mine.)
There's not a whole lot we mere mortals can do about heartbleed.
When the servers and other affected equipment get updated or replaced - change your passwords, BUT don't use the same password everywhere.
Bill
.
Last edited by Slartybart; 19 Apr 2014 at 11:40. Reason: image too big