Just think of all those landfill firewall routers and modems out there...
My WRT54G just ran into the lead pipe in the Library.
The advent of the Heartbleed Open SSL vulnerability has enterprise software development teams scrambling to figure out if they have a problem, and the news is not always good. Vulture South has ploughed through the recently updated list of the world's top 10 software vendors. Here's how each fares. Microsoft is chilling out …
Shame, there are plenty of good open source OSes you could run a 54G that would be just fine.
Also: why would you care if your router has an SSL vulnerability? Are you insane enough to leave it's management port open to the WAN? Why the fnord would you do that? Get a real OS on the damned thing, then you can VPN in to your home network for administrative tasks instead of leaving the henhouse tied up with a piece of string and a blinking neon sign visible from space advertising said fact to the local wolves.
I'm with Trevor - the WRTG54g is pretty much the poster child of alternative firmware!
Hell - the two most popular lines of alternate firmware - DD-WRT and OpenWRT were originally developed for that device, hence the names!
Well, unless of course you have that one bastard model where Linksys skimped on flash memory.
While Trevor proposes a valid solution for managing your router remotely without leaving it open on the WAN, I have to wonder why anyone really needs to manage a home router remotely anyway. I mean, there's not much you can usefully accomplish by being able to remotely administer your home router by itself.
If you're already remote controlling your PC then you've also already got access to your router. If you don't have remote access to your PC, what's so important on the router that you need to control remotely?
A corporate router is a different matter but a home one?
Sorry - just thinking out loud . . .
@Trevor_Pot - you said,"Are you insane enough to leave it's management port open to the WAN?"
What about when you access your router on the LAN side? I use SSL to do that too - their could be MITM malware on one of the computers in the LAN. I always assume compromise everywhere.
Perhaps issued in a rush (and understandably so!), this article is not of the usual quality found here - full of typos and Citrix is mentioned twice as being in trouble when the linked article says only one of the nine products are affected. The affected product needs sorting, sure, but it's not as bad as the article makes out...
The point it makes is that you have to test ALL your products for Heartbleed. Whilst the media focus and IT has been primarily focused on the Internet facing applications, there are far more than this. Most vendors use encryption to transfer data - anti-virus, monitoring agents, backup products - you name it, it's probably got OpenSSL in it.
You need to get hold of publicly available scripts - prove to yourselves that they are giving good results (no false positive/negatvies) and then scan the products in your estate, not just those web servers listening on 443.
This problem is much bigger than you think it is.
I tried the EMC link, and after logging with my EMC Support account I can read the KB article.
Basically, only a few products are affected. Mainly Syncplicity and Powerpath (??), as well as some beta versions of Avamar ADS and DD Boost. I was worried about ESRS Remote Support Gateway, but that doesn't use a vulnerable version of OpenSSL, so I can relax a bit, and enjoy a pint this evening.
HP SIM is affected
HP Systems Insight Manager product and HP SIM agents deployed on end-point servers are vulnerable - and there is no fix from HP.
Testing, using proven, publicly available scripts to test for Heartbleed, have shown this product and the agents to be vulnerable.There are no HP SIM products currently available from HP that don't have this bug.
Regressing to a previous down-level version of SIM does not help, as this would re-introduce other known vulnerabilities (unrelated to OpenSSL).
It may be possible on Linux to re-direct the binaries that HP ship with SIM to a non-vulnerable version of OpenSSL. HP SIM on Windows is proving will more of a challenge....
The response from HP on this has been extremely poor - no acknowledgement of the issue, and no available fix.
http://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04239413
Still no fixes, but at least the list of apps are affected.
Something I have been reminding my customers is that most of the Management software should be internal only anyway, and if their network is compromised to the point of letting someone attack their blade chassis or SMH, Heartbleed is not their top priority.