Heartbleed Potentially Effects All Security Products, Not Just Websites
April 14, 2014
By Brian Monkman, Network Security Programs Manager

Unless you have been off the grid for the last few days you have undoubtedly heard about the OpenSSL vulnerability known as the Heartbleed (http://heartbleed.com) bug.  Heartbleed is a vulnerability that allows "anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software."

Why is this important?  The vulnerability can easily compromise the private keys used to encrypt the traffic and also puts user IDs and passwords at risk of being visible.  For cybercrimals, this vulnerability is relatively easy to exploit.

While much of the focus has been on the hundreds of thousands of websites that could be vulnerable, what you don't hear much of, is the potential vulnerability of products that keep networks secure.

To put this into perspective, ANY product that uses OpenSSL or one of its variants to create a secure connection is potentially at risk. This could mean, for example, a network firewall with an outward facing administrative interface that uses an HTTPS connection may be vulnerable, or a Web Application Firewall that has SSL termination functionality may also be vulnerable.

ICSA Labs takes Heartbleed very seriously. Our certification criteria have requirements that state that all ICSA Labs certified products must not be vulnerable to the evolving set of threats known in the Internet community or face decertification of their product. This means network security product vendors have the responsibility to ensure their products are updated as the threat landscape changes to maintain their certification.

ICSA Labs has notified all its vendors in its network security programs that it will be testing the certified versions of their in-market products to determine whether or not their products are currently vulnerable to Heartbleed. Even vendors who assert their products are not vulnerable will be tested. Our mantra is TRUST BUT VERIFY.

Network security products can rely on ICSA Labs to promptly identify, inform and address security vulnerabilities, such as Heartbleed, and end users can rest assured that ICSA Labs certified products underwent the rigor necessary to attain their certification.

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.