Buffalo Technology NAS products unaffected by â€˜Heartbleedâ€™ bug
April 2014 â€“ Buffalo Technology, one of the worldâ€™s leading manufacturers for NAS, Wireless and Multimedia systems, announced today that all products running on Buffalo firmware are safe from the â€˜Heartbleedâ€™ bug. Buffaloâ€™s LinkStation and TeraStation NAS products are completely unaffected by the bug, the same applies for all current Buffalo AirStation Router models and all routers working with Buffalo Technology firmware. For three old Buffalo routers running on DD-WRT firmware the settings should be checked to see if they could be at risk.
The â€˜Heartbleedâ€™ bug in OpenSSL versions 1.0.1 through 1.0.1f (inclusive) can detect passwords and user credentials from various systems and websites. Buffalo Technology confirms its Network Attached Storage (NAS) customers are completely safe from the Heartbleed bug. Klaas de Vos, COO, Buffalo Europe states: â€œOur Japanese software engineers are extremely conservative regarding security aspects. When the new â€˜heart beatâ€™ extension was launched for Open SSL they decided not to use it. This turned out to be a good choice.â€ Helge Lichner, Sales Engineer Buffalo Europe: â€œFrom a technical point of view, it did not make sense to use the extended Open SSL version because our products do not focus on web server services. So instead we kept the tested, stable, and very secure Open SSL versions in our OS for LinkStation, TeraStation and AirStation.â€
The company also confirms that all current â€˜AirStationâ€™ router models and all older models running on Buffalo firmware are safe. However, users that run DDW-RT firmware on the AirStation WZR-HP-G300NH2, WZR-HP-G450H or WZR-HP-AG300H and donâ€™t use the standard settings, may potentially be at risk. If you have manually activated â€˜Open VPNâ€™, please check out this page for updates: http://www.dd-wrt.com/site/content/heartbleed-dd-wrtdd-wrt-online-services. All three models are End of Life and not being sold anymore. DD-WRT is working on a patch for them, but asks users not to panic. Peter SteinhÃ¤user, Managing Director at NewMedia-NET GmbH: â€œâ€œOpenSSL was updated immediately in the DD-WRT SVN repository. Within the next few days we will provide updated versions for all routers including the Buffalo specific versions. Concerned users should check first if their setup is really affected by Heartbleed - by default no service employing OpenSSL is active in DD-WRT.â€
Heartbleed is a bug named after the â€˜heart beatâ€™ extension in the TLS/SSL protocol. The heart beat extension keeps an SSL connection alive. For servers it makes sense because re-establishing a connection requires more system resources than checking the connections and cut the connection only if the client does not answer any more. The intention was to improve the performance of servers and safe resources. However, this extension has a design flaw, hence the name â€˜Heartbleed.â€™ If an Open SSL version is installed that utilises this particular extension the system is potentially vulnerable. The extension was already released in 2012 so it is used by many parties and SSL has been vulnerable until April 2014 for users employing the versions based on the standard. For more information see here: http://www.infoq.com/news/2014/04/heartbleed-ssl