The Heartbleed OpenSSL Vulnerability (CVE-2014-0160) was released on April 7th 2014.
What is Heartbleed?
Heartbleed is a vulnerability (bug) within the Heartbeat extension for the popular OpenSSL package and is compiled by default in within a number of Unix/Linux distributions. The vulnerability affects a component of this extension and if successfully exploited can reveal data in memory on the target host. This could include sensitive private keys and/or sensitive information such as user passwords or other data in a decrypted state.
Is it exploitable?
SureCloud have been monitoring industry attention to this issue. We are seeing proof-of-concept (POC) exploits circulating and this vulnerability being actively targeted by attackers.
Versions of OpenSSL affected / not affected
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.2-beta1 is vulnerable
- OpenSSL 1.0.1g is NOT
- OpenSSL 1.0.0 branch is NOT
- OpenSSL 0.9.8 branch is NOT vulnerable
Are we vulnerable?
SureCloud have an active detection already in-place within our on-demand and PCI ASV scanners so existing customers can avail of this detection capability right away. This will be flagged as vulnerability ID 73404 – “OpenSSL 1.0.1 < 1.0.1g Multiple Vulnerabilities” and/or ID 73412 – “OpenSSL Heartbeat Information Disclosure (Heartbleed)”. We encourage all existing customers to run scans against any systems running OpenSSL as soon as possible, particularly those exposed to the public internet.
Ensure that any service that uses OpenSSL is patched/checked, this should include Email services, Web Services, Database Services, VPN Services and those supplied by third-parties (such as mail filtering or VPN appliances). Individual vendors may have released their own advisories.
How can we protect our systems?
SureCloud would strongly recommend that any organisation running OpenSSL patch their systems to version 1.0.1g (released on April 7th) as soon as possible. If running 1.0.2-beta1 a patch isn’t currently available, 1.0.2-beta2 will resolve this vulnerability.
Where a system cannot be patched, OpenSSL should be re-compiled with the Heartbeat handshake disabled (-DOPENSSL_NO_HEARTBEATS).
Due to the nature of this attack, detection of prior exploitation is extremely difficult to verify. Therefore, it would be strongly recommended that where OpenSSL is in use, SSL certificates are revoked, re-issued/re-generated and replaced. Ensuring also that any systems passwords are changed also.
Further Reading
Further information regarding this vulnerability can be found here:-
https://heartbleed.com – Site dedicated to explaining this vulnerability in further detail
https://www.openssl.org/ – OpenSSL official site
https://www.darkreading.com/informationweek-home/emergency-ssl-tls-patchi… – Dark Reading
https://www.ubuntu.com/usn/usn-2165-1/ – Ubuntu Site
https://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-o… – ARSTechnica
Should you have any questions or concerns regarding this or any other matter then please contact us – support@https://surecloud.com / 0118 963 7999
Whilst every effort is made to ensure the accuracy and robustness of any information presented, it is not possible for SureCloud to test every possible scenario an organization may face, and SureCloud cannot be held liable for any loss or damage which may arise from taking action on any of the contents provided. SureCloud strongly advises that all recommendations, solutions and detection methods detailed, are thoroughly reviewed and tested in non-production environments before being considered suitable for production release, in-line with any existing internal change control procedures.
