OpenSSL "heartbleed" Vulnerability
Products Supported: All Products. Click here to identify your router.
Firmware Version: Variable depending on product, see below for patched versions - for information on upgrading firmware, click here.
In response to the critical security vulnerability discovered in the OpenSSL cryptography software library (CVE-2014-0160), nicknamed “Heartbleed,” Cradlepoint has taken steps to incorporate the OpenSSL version 1.0.1g into its latest firmware and Enterprise Cloud Manager. If exploited, this vulnerability could allow attackers to monitor all information passed between a user and a web service or decrypt past traffic they’ve collected. More details can be found here: http://heartbleed.com.
Cradlepoint recommends immediately upgrading products to the latest firmware versions in order to mitigate this vulnerability. The following are affected products:
- AER 2100
- ARC MBR1400
- ARC CBA750B
- COR IBR600
- COR IBR650
PLEASE NOTE: On WAN interfaces, routers were only exposed to risk under the following conditions:
1. Remote access is enabled (setting disabled by default)
2. AND remote administration access control is not enabled (setting disabled by default).
On LAN interfaces, routers were only exposed under the following conditions:
If the network allows Admin Access, which is the default for the Primary LAN. Guest LAN default settings do not allow Admin Access and are not exposed to this vulnerability. Admin Access can be checked using the Network Settings / WiFi / Local Networks tab, listed for each network in the “Access Control” section.
Product firmware prior to patch release is still affected, regardless of mitigation steps, by this bug and Cradlepoint recommends firmware upgrades for all affected products.
The AER3100, COR IBR1100, COR IBR1150, COR IBR350 and ARC CBA850 *are not* affected, as they were released after the applicable firmware update and consequently with patched firmware versions factory-loaded.
Products Not Affected
- CBA750 (prior version to CBA750B)
- CX111 (Juniper)
- MBR1200 (prior version to MBR1200B)
- Rover Puck
Oldest Firmware with Heartbleed Patch
Firmware versions listed below were the first to have the heartbleed fix.
- 5.1.1 - AER 2100, ARC MBR1400, MBR1400, MBR1200B, ARC CBA750B, CBA750B, COR IBR600, COR IBR650
- 5.0.4 - MBR95
- 4.3.3 – CBR400, CBR450
Download the latest firmware
Cradlepoint Cloud Management & Mitigation
- Cradlepoint Enterprise Cloud Manager stream servers were patched on April 9, 2014.
- Enterprise Cloud Manager web servers were not affected, so usernames and passwords are not at risk.
- WiPipe Central was not affected.
In conjunction with the release of new firmware on April 14, 2014, Cradlepoint will reissue new certificates in Enterprise Cloud Manager to invalidate private keys that could be used to decrypt data for malicious purposes. Users should upgrade firmware and follow the appropriate steps documented below.
Published Date: 10/5/2015
This article not have what you need? Not find what you were looking for? Think this article can be improved? Please let us know at firstname.lastname@example.org.