BLOG
OpenSSL Vulnerability: Heartbleed Bug | Green House Data Blog
What is Heartbleed?
This vulnerability takes advantage of a memory configuration within the ever-popular OpenSSL software library. The TLS heartbeat extension (RFC 6520) on an exploited version of OpenSSL allows an attacker to view up to 64k of what is in memory with each “heartbeat.” Thus, a multitude of information can be obtained unnoticed. It is important to note that this exploit is found in OpenSSL's implementation of SSL/TLS, not within the TLS protocol itself.
Why is this important?
SSL/TLS is the cornerstone of the Internet's means of encrypted transmission of data. We rely on websites to implement proper security measures when working with private information, e.g. bank accounts, medical records, social security numbers, and so on. OpenSSL is a widely used set of libraries that provides cryptographic services to many of these web servers. What makes this particular exploit interesting and very dangerous is that:
- In most cases, it is completely undetectable
- The attacker can run the exploit and view sensitive data directly, no man-in-the-middle (MITM) attacks needed
- Any OpenSSL version 1.0.1f and earlier is vulnerable
Whom does this affect?
So far, any company that provides services using non-patched OpenSSL to encrypt data can be vulnerable if proper measures of updating are not followed. Examples of this might include:
- Web servers providing SSL certificates
- OpenVPN servers
- Load Balancers
- Intrusion Protection System/Intrusion Detection System (IPS/IDS)
What is at stake?
- Private Encryption Keys – The most sought-after bounty! An attacker with these keys can decrypt any past and future data.
- Leaked Secondary Key Material – Usernames/Passwords that have access to internal systems or services.
- Leaked Protected Content – Any data that are meant to be encrypted, such as:
- Source code of proprietary applications
- Emails and instant messages
- Bank accounts
- Medical records
How does this affect Green House Data's services?
We are actively pursuing efforts to mitigate any presence of vulnerable systems within Green House Data's cloud infrastructure. From what we have seen so far, these efforts are primarily focused on systems using OpenSSL to encrypt TLS connections. Green House Data provides service and customer portals that use SSL and have taken the necessary actions to secure our systems.
Those who take advantage of our managed services will be automatically patched during the regular patching cycle. We also provide proactive scanning of clients' systems for vulnerabilities and will notify if and when issues are found. We consider data security and integrity a high priority with every service we provide.
What steps can be taken to fix this?
- If possible, remove any vulnerable device from the public Internet until it is patched.
- Update any system using OpenSSL version 1.0.1f and earlier to the latest and patched version, 1.0.1g.
- Those who used a non-patched version of OpenSSL to generate private keys for a certificate signing request (CSR) should take the necessary steps to generate a new pair of keys through the newly patched system. Most certificate authorities (CA) will not require that you purchase a new certificate. Please note that these keys should be generated after you have patched your system.
- Change any usernames and passwords that may have been leaked.
- Use a variety of tools to test your external web server against this bug. Some are provided in the links below.
References and Further Reading
General:
- http://heartbleed.com
- http://www.npr.org/blogs/alltechconsidered/2014/04/09/301006236/what-to-do-now-that-the-heartbleed-bug-exposed-the-internet
- http://www.kb.cert.org/vuls/id/720951
To test your server against the bug:
Posted by: Systems Administrator Alex Kirby
