Computer & Network Security|Compliance>Encryption|Information Security|Research

Leave no stone un-turned when patching Heartbleed

Most people are now up to speed about the existence of Heartbleed, but new information is coming out that the focus has only been on server side exploits.  Meldium, released a blog post titled Testing for “reverse” Heartbleed.  According to Meldium, “While patching our systems for the recent Heartbleed vulnerability, we found that some sites (including huge web properties), which had patched their servers were still vulnerable to a variant of the attack that we’re calling “reverse heartbleed.”  They have also released a tool to test this.

What does this mean?

Basically it means that OpenSSL patching can’t stop just at servers and infrastructure devices.  It has to go all the way down to the client level.  There are many client tools and agents that utilize TLS for communication.  Meldium provides a list of the types of clients that are vulnerable:

  • Traditional Agents such as Dropbox or Office
  • Social Networks such as Facebook fetch URLs of certain types and perform actions on them
  • File sharing apps or anything that can allow a user upload an images
  • Web spiders like Googlebot
  • API consumers that allow integrations across websites
  • IDendity federation protocols such as OpenID
  • Webhooks which allow a user to register interest in a certain event happening and get a call back.

This particular vulnerability does appear to be harder to exploit than the original heartbleed.

What should you do?

The steps for remediation are the same as the original attack.  We have them outlined in our post Heartbleed: What you need to know.

Computer & Network Security|Compliance>Encryption|Information Security|Research

The Heartbleed Bug

The Heartbleed Bug is a recently discovered critical vulnerability found in widely used open-source implementations of the SSL/TLS protocols, OpenSSL .  SSL/TLS is used to provide security and privacy in many internet applications such as email, instant messaging, VPN, and secure web pages.

The vulnerability was the result of an implementation problem (or a program mistake) in OpenSSL, which has left a large amount of private data exposed to the internet.  Most people are likely to be directly, or indirectly affected by this bug due to OpenSSL being the most popular cryptographic library and transport layer security currently in use on the Internet.

OpenSSL 1.0.1 through 1.0.1f are currently vulnerable to this exploit and exploitation of this bug leaves no trace of anything abnormal happening, making it very hard to detect attack.  The latest version of OpenSSL, 1.0.1g, is not affected, and we recommend upgrading to this version as soon as possible.

If you publish any secure services to the internet, you can test to see if your services are affected by the Heartbleed bug by going here:  Heartbleed Test or SSL Labs

More detailed information about the Heartbleed bug can be found here:  Heartbleed Bug and Troy Hunt.

UPDATED:  There are a myriad of websites right now explaining what Heartbleed is and how it works, so I won’t try to reproduce those, and have linked some of them above.  I do want to point out a couple of things.  It has been reported that many of the ‘site checkers’ are returning false negatives, so don’t rely solely on the checkers, but of other checks as well.

Second, there are two sites that I have found useful for seeing who is vulnerable:  Mashable lists many of the common websites for general users.  This post in github scanned the top 10000 sites in Alexa.