Categories
Computer & Network Security|Compliance>Encryption|Information Security

Heartbleed: What You Need To Know

Summary

Heartbleed is a serious vulnerability that can allow attackers to intercept secure communications.  Email, Websites, VPNs, and other trusted security technologies are at risk – passwords and encryption keys can be breached.  You most likely have something that is affected. 

What to do

  1. Update anything using OpenSSL, see below for more information.
  2. Check to see if you are vulnerable. (Adrian Hayter, a consultant with CNS Hut3, revealed a proof of concept that many of the testing tools have bugs themselves)
    1. Check your public facing websites for the vulnerability.  Use one of these tools: SSLLabs
    2. Check internet facing equipment to see if it uses OpenSSL.   This can include firewalls, VPN, mail servers or services that utilize TLS; anything that uses SSL.
  3. Apply vendor patches.  Here is a good list of vendor notifications for fixes.  Here is a list of file transfer applications and their status.
  4. Update IPS/IDS devices with signatures to detect the vulnerability.

UPDATE 4/11/2014: Vulnerable devices do not have to be using SSL actively.  We have confirmed a Windows Server running IIS running a file sharing application over port 21/FTP is vulnerable even though it is not using an SSL certificate.

These last two are not easy, but recommended – it is that serious.

  1. Once you have updated a website, revoke any SSL certificates for sites that were vulnerable, and reissue them.  Keep in mind any sites that share an SSL certificate with a vulnerable site, even if that site was not vulnerable.
  2. Issue password resets for network users, and notify users to reset their personal passwords for affected sites.  Here is a good list of sites that are affected: Sites affected by Heartbleed

*These tools can give false negatives.  This means that if it says a site is vulnerable, it is, but if it says it is not, it could still be vulnerable, so don’t use only these tools to test.

More information:

What is heartbleed?

First, it is very serious and this is something everyone in IT needs to familiarize themselves with.  This graphic gives a very simple explanation of the bug.  Heartbleed is a vulnerability found in OpenSSL.  OpenSSL is an opensource, commercial grade program that allows the implementation of SSL v2/v3 and TLS v1.  This means that websites using SSL, VPNs and TLS that utilize OpenSSL could be vulnerable.  For a comprehensive overview, Troy Hunt, has a really good blog post.  There is also a variant, ‘reverse’ Heartbleed, that can affect client infrastructures as well.

What’s the big deal?

Heartbleed allows an attacker to view information stored in memory of a website that is vulnerable.  This could include usernames, passwords, private keys or more.

What can this affect?

This can affect the obvious, HTTPS, VPN, TLS services that run on websites, routers, firewalls and email servers as well as the certificates that effect those servers.  The scary part is this can also affect services such as IMAP, POP, FTP, SFTP SSH and more.  Not only do some of these services use certificates, they can also run openssl on the servers that support them and make them vulnerable.