SAN FRANCISCO The Heartbleed Web-security flaw has been found in the hardware connecting homes and businesses to the Internet, underscoring the amount of time and effort that will be needed to defuse the threat.
Cisco Systems and Juniper Networks said some of their networking products are susceptible to the encryption bug, which was recently discovered by researchers at Google and prompted companies and government agencies to seek fixes to block hackers from gaining access to user names, passwords and other sensitive information.
The Heartbleed warnings come at a time of mounting concern about the security of information following consumer-data breaches at Target and Neiman Marcus and the National Security Agency spying scandal.
While online security experts urged consumers to change their passwords as soon as possible, it will take longer to fix networking equipment and software as Cisco and Juniper will have to rely on customers applying the patches thecompanies push out, according to Jaime Blasco, director of AlienVault Labs, part of AlienVault LLC.
“It’s more painful to update these kinds of devices,” Blasco said. “You have to go one by one.”
The vulnerability affects several of the routers, switches and security firewalls sold by Cisco and Juniper, the two manufacturers said in statements Thursday.
Heartbleed is a flaw in the design of OpenSSL, an encryption tool that runs on as many as two-thirds of all active websites, though many large consumer sites aren’t vulnerable to it because the sites use specialized encryption equipment and software, according to Google’s researchers.
Cisco said it would tell customers when software patches for its affected products are available.
“We take the management of security vulnerabilities very seriously,” the company said in a statement. “We encourage our customers to visit our website for ongoing updates.”
Juniper said it issued a patch earlier this week for its most vulnerable products that feature virtual private network, or VPN, technology. VPNs offer a secure way to connect remotely to corporate networks.
“A subset of Juniper’s products were affected including certain versions of our SSL VPN software, which presents the most critical concern for customers,” Juniper said in an emailed statement. “The company issued a patch for its SSL VPN product on Tuesday and is working around the clock to provide patched versions of code for our other affected products.”
Banks and other financial institutions should also take steps to patch their computer systems as soon as possible to prevent attacks that exploit the vulnerability, U.S. agencies said.
The Federal Financial Institutions Examination Council, made up of representatives from the Federal Reserve Board of Governors, the Consumer Financial Protection Bureau and other regulators, said systems that operate a widely used encryption technology called OpenSSL are at risk of being hacked.
“The vulnerability could allow an attacker to potentially access a server’s private cryptographic keys compromising the security of the server and its users,” the council said in a statement Thursday. “Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks.”
JPMorgan Chase, the largest U.S. bank, doesn’t use the vulnerable software, and user information hasn’t been exposed, the New York-based company said in a statement this week. Tests on the home pages of other large technology, e-commerce and banking companies including Microsoft, Amazon.com and Bank of America indicated they weren’t vulnerable.
Beyond banks, the vast majority of large institutions whose networks were susceptible have applied the fix, according to Robert Hansen, a specialist in Web application security who is vice president of the advanced technologies group of WhiteHat Security.