As with any new vulnerability, it's impacts are far-reaching. Infrastructure devices are no different. Most of them do incorporate vulnerable OpenSSL packages.
It's nearly impossible to compile a listing of every vulnerable product1, since it affects anything that included OpenSSL libraries built with the original OpenSSL TLS heartbeat implementation until the heartbleed patch was committed to OpenSSL stable branch; however, we can list the major vendors' products here.
This is a community wiki, feel free to contribute.
Aruba
- ArubaOS 6.3.x, 6.4.x
- ClearPass 6.1.x, 6.2.x, 6.3.x
- Previous versions of these products used an earlier version of OpenSSL
that is not vulnerable.
OpenSSL 1.0.1 library (Heartbleed) vulnerability.
Checkpoint Networks
SK 100173 asserts that Checkpoint products are not vulnerable.
Cisco
The following Cisco products are affected by this vulnerability:
- Cisco AnyConnect Secure Mobility Client for iOS [CSCuo17488]
- Cisco Desktop Collaboration Experience DX650
- Cisco Unified 7800 series IP Phones
- Cisco Unified 8961 IP Phone
- Cisco Unified 9951 IP Phone
- Cisco Unified 9971 IP Phone
- Cisco IOS XE [CSCuo19730]
- Cisco Unified Communications Manager (UCM) 10.0
- Cisco Universal Small Cell 5000 Series running V3.4.2.x software
- Cisco Universal Small Cell 7000 Series running V3.4.2.x software
- Small Cell factory recovery root filesystem V2.99.4 or later
- Cisco MS200X Ethernet Access Switch
- Cisco Mobility Service Engine (MSE)
- Cisco TelePresence Video Communication Server (VCS) [CSCuo16472]
- Cisco TelePresence Conductor
- Cisco TelePresence Supervisor MSE 8050
- Cisco TelePresence Server 8710, 7010
- Cisco TelePresence Server on Multiparty Media 310, 320
- Cisco TelePresence Server on Virtual Machine
- Cisco TelePresence ISDN Gateway 8321 and 3201 Series
- Cisco TelePresence Serial Gateway Series
- Cisco TelePresence IP Gateway Series
- Cisco WebEx Meetings Server versions 2.x [CSCuo17528]
- Cisco Security Manager [CSCuo19265]
Cisco Security Advisory - OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products
D-Link
As of April 15, 2014 D-Link has no vulnerable products.
Security Incident Response for D-Link Devices and Services
Fortigate
- FortiGate (FortiOS) 5.x
- FortiAuthenticator 3.x
- FortiMail 5.x
- FortiVoice
- FortiRecorder
- FortiADC D-Series models 1500D, 2000D and 4000D
- FortiADC E-Series 3.x
- Coyote Point Equalizer GX / LX 10.x
Information Disclosure Vulnerability in OpenSSL
F5
As of April 10, 2014 the following F5 Products / Releases are known to be vulnerable
- BigIP LTM Versions 11.5.0 - 11.5.1 (Mgmt Interface, compat SSL ciphers)
- BigIP AAM Versions 11.5.0 - 11.5.1 (Mgmt Interface, compat SSL ciphers)
- BigIP AFM Versions 11.5.0 - 11.5.1 (Mgmt Interface, compat SSL ciphers)
- BigIP Analytics Versions 11.5.0 - 11.5.1 (Mgmt Interface, compat SSL ciphers)
- BigIP APM Versions 11.5.0 - 11.5.1 (Mgmt Interface, compat SSL ciphers)
- BigIP ASM Versions 11.5.0 - 11.5.1 (Mgmt Interface, compat SSL ciphers)
- BigIP GTM Versions 11.5.0 - 11.5.1 (Mgmt Interface, compat SSL ciphers)
- BigIP Link Controller Versions 11.5.0 - 11.5.1 (Mgmt Interface, compat SSL ciphers)
- BigIP PEM Versions 11.5.0 - 11.5.1 (Mgmt Interface, compat SSL ciphers)
- BigIP PSM Versions 11.5.0 - 11.5.1 (Mgmt Interface, compat SSL ciphers)
- BIG-IP Edge Clients for Apple iOS Versions 1.0.5, 2.0.0 - 2.0.1 (VPN)
- BIG-IP Edge Clients for Linux Versions 6035 - 7101 (VPN)
- BIG-IP Edge Clients for Mac OSX Versions 6035 - 7101 (VPN)
- BIG-IP Edge Clients for Windows Versions 6035 - 7101 (VPN)
F5 Networks SOL 15159 OpenSSL Vulnerability CVE-2014-0160
HP
As of April 10
"We have determined the products we have investigated are not vulnerable due to either using a version of OpenSSL that is not vulnerable or are not using OpenSSL."
HP Networking Communication: OpenSSL HeartBleed Vulnerability
Huawei
As of April 14
The investigation has been completed and it is confirmed that some Huawei products are affected. Huawei has prepared a fixing plan and started the development and test of fixed versions. Huawei will release an SA as soon as possible. Please stay tuned.
Security Notice-Statement on OpenSSL Heartbeat Extension Vulnerability
Juniper
Vulnerable Products
- Junos OS 13.3R1
- Odyssey client 5.6r5 and later
- SSL VPN (IVEOS) 7.4r1 and later, and SSL VPN (IVEOS) 8.0r1 and later (Fixed code is listed in the "Solution" section)
- UAC 4.4r1 and later, and UAC 5.0r1 and later (Fixed code is listed in the "Solution" section)
- Junos Pulse (Desktop) 5.0r1 and later, and Junos Pulse (Desktop) 4.0r5 and later
- Network Connect (windows only) version 7.4R5 to 7.4R9.1 & 8.0R1 to 8.0R3.1. (This client is only impacted when used in FIPS mode.)
- Junos Pulse (Mobile) on Android version 4.2R1 and higher.
- Junos Pulse (Mobile) on iOS version 4.2R1 and higher. (This client is only impacted when used in FIPS mode.)
Juniper Knowledge Center - 2014-04 Out of Cycle Security Bulletin: Multiple products affected by OpenSSL "Heartbleed" issue (CVE-2014-0160)
Palo Alto Networks
PAN-OS was not affected by heartbleed
Workarounds
Disable resources that utilize SSL, if you can, and rely on SSH which, as Mike Pennington commented is not vulnerable.
1This listing was taken on 10 April 2014, vendors may still have their products under investigation. This listing is not a vulnerability guideline, and only serves to give the original poster an understanding of the scope of impact on networking equipment.