Now that you know that Heartbleed is potentially exposing your secure systems to malicious hackers, you need to know what to do about it. Not only does that mean you need to secure your systems (even the ones you don’t yet know use Open SSL), but you also need to be able to understand the flaw, explain it to people who need assurance that your systems are secure, and communicate to them when your fix is complete.
In brief, Heartbleed (CVE-2014-0160) is a vulnerability in the popular OpenSSL library that allows exposure of sensitive information in 64Kb chunks which can be used to launch greater, more sophisticated attacks against an organization.
The Heartbleed vulnerability was introduced in December 2011 when OpenSSL version 1.0.1 was first released. Luckily, Neel Mehta and Adam Langley from Google discovered this flaw and named it “Heartbleed.” It affects versions OpenSSL 1.0.1 through 1.0.1.f. Brian Krebs contributed significantly in raising awareness of this issue by publishing a list of websites vulnerable to this bug, including Yahoo!, flickr, and eventbrite. This bug is pervasive enough to affect not only websites, but also hardware devices including those from Aruba, Checkpoint, Cisco, Juniper, WatchGuard, and Fortinet. A list of vendors affected can be found here.
OpenSSL is a software package (referred to as a “library”) that is popular among software developers for adding encryption capabilities to their applications. OpenSSL is the most popular method for securing web servers and applications and is the default library used by Apache and Nginx which powers two-thirds of the internet. Commonly associated with “Secure Sockets Layer” and “Transport Layer Security” protocols (SSL and TLS), OpenSSL is used to create trusted communications between computers on the Internet during their transactions. For instance, OpenSSL is commonly used to secure Internet sessions between a user’s web browser and the web sites they are visiting (most websites that use https are likely using OpenSSL). It is also commonly used when two organizations encrypt sensitive information that they share over the Internet, including communications between online retailers and their credit card processors, between hospitals, and insurance companies, or even between two email servers using TLS. Mobile applications also depend on OpenSSL to transfer information securely.
The Heartbleed vulnerability allows users anywhere on the Internet to query a server that is secured with OpenSSL (ver. 1.0.1 through 1.0.1f), so that the server will return users’ account names and passwords, as well as web site encryption keys. Using tools that exploit Heartbleed, someone can steal credentials without being traced and can log in unauthorized and abuse any privileges associated with that account without anyone noticing. What’s even scarier is that if an attacker can steal a websites’ encryption keys, they can also decipher other encrypted information like payment information, usernames, passwords, email content, and much more. In addition, they could use this exploit to impersonate a legitimate website to phish users into revealing other personal information.
This serious vulnerability puts Internet privacy at risk. A detailed technical write-up on this vulnerability can be found here.
How Do I Know if I Am Affected and How Do I Fix Them?
Many organizations are asking themselves, “Are my Internet systems vulnerable?” While end users must wait for systems administrators to repair this vulnerability (the fix is available), systems administrators should consider the following options to remedy this problem:
- Identify all systems that are likely operating OpenSSL as a service.
- Preliminarily, this means identifying systems that typically run encryption services. Web servers, database servers, mail servers, SSH, SFTP and administration and reporting interfaces.
- Keep in mind that many commercial software and devices use OpenSSL wrapped tightly in their systems that you can’t access. By using vulnerability scanning tools, such as Nessus, Qualys, Rapid7 and Metasploit as well as GFI LANGuard, all can be used to detect OpenSSL services.
- Also remember that OpenSSL also has a client side, which can be exploited using malicious SSL servers.
- For the systems that you control, and have identified as using a vulnerable version of OpenSSL, upgrade to the latest OpenSSL 1.0.1g or re-compile OpenSSL without the “HeartBeat” feature that creates the vulnerability, as described in this advisory.
- Watch for encryption certificates at the client side to be sure that repaired servers have updated their certificates.
- Change passwords for all user accounts on your system including passwords for any website visitors. The information security community is recommending that users stay away from any websites with sensitive information such as online banking for the next few days until the problem is fixed.
- Consider implementing two-factor authentication on your critical systems to add an extra layer of security and to reduce your vulnerabilities when the next fundamental flaw is discovered.
- Re-key your website SSL certificate immediately.
- Be sure to provide information to the public, your customers, consumers and partners about your status regarding the Heartbleed vulnerability. This is a highly publicized security flaw and your users will want to know when they are safe to use your systems.
But following these steps alone may not be enough to completely secure your environment. This flaw has been exploitable since December 2011, so someone might have already compromised sensitive information including passwords and encryption keys and used them to launch advanced persistent threats. Consider conducting a forensics analysis of your network to fully evaluate your infrastructure for possible signs of intrusions and prioritize remediation steps. For more information visit heartbleed.com.