This story has been updated with a comment from Limestone Networks.
Some products from Cisco Systems and Juniper Networks contain the Heartbleed bug, the companies announced Thursday. Networking equipment and other equipment including routers, switches and firewalls that use OpenSSL may contain the defective code, exposing businesses that use them to risks of infiltration and data theft.
A customer advisory released by Cisco on Wednesday and continually updated through Friday morning said that 65 products are being investigated for vulnerability, 16 are confirmed vulnerable, and 2 services had been vulnerable but “have been remediated.”
Cisco is the largest vendor of routers and switches in the world. It is offering security software to customers to detect “Heartbleed” exploits, and promises free software patches when they are developed.
Juniper issued patches for some versions of its VPN software on Tuesday, according to the Wall Street Journal, and is working on patches for other products.
Juniper provides products and services to numerous companies in hosting and related industries, including Cloud Dynamics, DreamHost, and Black Lotus.
Limestone Networks launched an IaaS offering in late March making use of Juniper switches and Cisco routers.
“We take the security of our network and clients data seriously. We took steps on Wednesday, April 9, 2014, to ensure all of our infrastructure was patched against the Heartbleed bug. The specific Cisco and Juniper products mentioned in their advisories are not currently deployed on our network. We make use of access lists and other firewall products to secure our network,” Ryan Gelobter, IT Manager, Limestone Networks, Inc. said in an email to the WHIR.
“The upgrade path is going to involve a trash can, a credit card, and a trip to Best Buy,” cybersecurity researcher and cryptographer Bruce Schneier quipped to the Wall Street Journal.
According to the WSJ, the affected devices are less likely to be checked by their users, and more difficult to fix than other uses of the encryption software if the bug is found. Cisco says the vulnerability potentially allows a remote attacker to retrieve memory in 64k chunks.
While the “Heartbleed” bug has gripped the media with reports of government website shutdowns and vulnerability lists, service providers continue to work through necessary upgrades, fixes, and workarounds.