Buffalo Technology NAS products unaffected by ‘Heartbleed’ bug

Buffalo Technology confirms its NAS systems are unaffected by the Heartbleed bug. However, three old router models should be checked if running on DD-WRT firmware.

April 2014 – Buffalo Technology, one of the world’s leading manufacturers for NAS, Wireless and Multimedia systems, announced today that all products running on Buffalo firmware are safe from the ‘Heartbleed’ bug. Buffalo’s LinkStation and TeraStation NAS products are completely unaffected by the bug, the same applies for all current Buffalo AirStation Router models and all routers working with Buffalo Technology firmware. For three old Buffalo routers running on DD-WRT firmware the settings should be checked to see if they could be at risk.

The ‘Heartbleed’ bug in OpenSSL versions 1.0.1 through 1.0.1f (inclusive) can detect passwords and user credentials from various systems and websites. Buffalo Technology confirms its Network Attached Storage (NAS) customers are completely safe from the Heartbleed bug. Klaas de Vos, COO, Buffalo Europe states: “Our Japanese software engineers are extremely conservative regarding security aspects. When the new ‘heart beat’ extension was launched for Open SSL they decided not to use it. This turned out to be a good choice.” Helge Lichner, Sales Engineer Buffalo Europe: “From a technical point of view, it did not make sense to use the extended Open SSL version because our products do not focus on web server services. So instead we kept the tested, stable, and very secure Open SSL versions in our OS for LinkStation, TeraStation and AirStation.”

The company also confirms that all current ‘AirStation’ router models and all older models running on Buffalo firmware are safe. However, users that run DDW-RT firmware on the AirStation WZR-HP-G300NH2, WZR-HP-G450H or WZR-HP-AG300H and don’t use the standard settings, may potentially be at risk. If you have manually activated ‘Open VPN’, please check out this page for updates: http://www.dd-wrt.com/site/content/heartbleed-dd-wrtdd-wrt-online-services. All three models are End of Life and not being sold anymore. DD-WRT is working on a patch for them, but asks users not to panic. Peter Steinhäuser, Managing Director at NewMedia-NET GmbH: ““OpenSSL was updated immediately in the DD-WRT SVN repository. Within the next few days we will provide updated versions for all routers including the Buffalo specific versions. Concerned users should check first if their setup is really affected by Heartbleed - by default no service employing OpenSSL is active in DD-WRT.”

About Heartbleed
Heartbleed is a bug named after the ‘heart beat’ extension in the TLS/SSL protocol. The heart beat extension keeps an SSL connection alive. For servers it makes sense because re-establishing a connection requires more system resources than checking the connections and cut the connection only if the client does not answer any more. The intention was to improve the performance of servers and safe resources. However, this extension has a design flaw, hence the name ‘Heartbleed.’ If an Open SSL version is installed that utilises this particular extension the system is potentially vulnerable. The extension was already released in 2012 so it is used by many parties and SSL has been vulnerable until April 2014 for users employing the versions based on the standard. For more information see here: http://www.infoq.com/news/2014/04/heartbleed-ssl
Or http://heartbleed.com/

Read more >