CVE-2014-0160 "Heartbleed" Guidance

Comment

We have been closely following the developments surrounding CVE-2014-0160, more commonly known as "Heartbleed," since the advisory was released by the OpenSSL developers on Monday, April 7. This post is intended to relay a high-level understanding of the vulnerability, its potential impact, and the proper technical response for successful prevention and mitigation.


What is OpenSSL?

OpenSSL is an open source implementation of the SSL and TLS protocols. These protocols are used to provide secure communication on the internet. They are most commonly used to protect the communication between web browsers and web servers, but may also be used to protect other systems, like mail servers and file servers. The OpenSSL software is widely used in UNIX-like systems, which includes many internet accessible servers, appliances and embedded devices. Recent by the internet research company Netcraft estimate that 17.5% of SSL protected sites are potentially affected by Heartbleed. This list includes many popular sites, including Yahoo, Tumblr and sites hosted at Amazon Web Services.


What is Heartbleed?

"Heartbleed" is the popular name given to a recently discovered vulnerability affecting certain versions of OpenSSL. It is formally identified as CVE-2014-0160 in the Common Vulnerabilities and Exposures System. The vulnerability has been dubbed "Heartbleed" because it affects a "heartbeat" function within OpenSSL, and causes the program to leak, or "bleed" information. When successfully exploited, this vulnerability allows an attacker to remotely read a section of memory from the exploited machine. This region of memory may contain sensitive information such as user names, passwords, session IDs, or even private keys. In short, the leaked information can break the integrity of the system.


This bug is considered particularly severe for several reasons. OpenSSL is widely used, so the potential attack area involves a large segment of the internet. Additionally, this bug is trivially easy to exploit. An unsophisticated attacker can exploit this bug with available scripts. Furthermore, a successful attack leaves no evidence on the exploited machine. While no convincing evidence yet exists, it's possible that this bug may have been exploited up to two years prior to the recent advisory.

What steps should our organization take to prevent or mitigate the effects of Heartbleed?

Heartbleed may impact different organizations in various ways, depending on the technologies and vendors that they use. Resolving this issue may be complex because it involves coordination between organizations and various vendors. There are, however, steps that can be taken by most organizations to eliminate or mitigate Heartbleed and potential consequences.

    1. Identify any internal systems that may be affected by Heartbleed. Linux and other UNIX-like web servers running OpenSSL versions 1.0.1 prior to 1.0.1g are the most common systems vulnerable to Heartbleed. However, there are many major networking and appliance vendors that may be affected, including some Cisco, Barracuda and Watchguard devices, among others. Take inventory of any potential vulnerable systems and verify, either manually, or by contacting a vendor, which systems should be patched. Any systems exposed to the internet should be prioritized. 
    2. Update OpenSSL on affected systems to the most recent version, 1.0.1g. All of the most common supported Linux distributions released an update package for this vulnerability shortly after it was disclosed. For most Linux distributions, this update can be quickly accomplished using an appropriate package manager. For other systems, such as appliances and embedded systems, it will be necessary to contact the appropriate vendor to receive an update patch or a new firmware version.
    3. Re-key and re-install any SSL certificates on patched systems, and revoke any that are potentially compromised . The major SSL vendors and Certificate Authorities understand the potential consequences of Heartbleed. In most cases, SSL vendors allow unlimited free re-issues for these certificates. Once the affected systems are patched, re-issue and apply the new certificates to the affected systems, since the old ones may have been disclosed through the information leak. 
    4. Reset passwords or other credentials on affected systems. After the affected systems are patched and their SSL certificates are re-installed, private information can no longer be leaked through this bug. It is necessary to change any credentials that may have been leaked from the system when it was vulnerable, including any passwords and authentication certificates.
    5. Initiate contact with external IT service providers that have not already communicated their posture and plans. Many vendors have already responded to the influx of inquiries about Heartbleed from their customers. Follow any guidance that they give, including prompts to changes credentials  
    6. Verify that vendors have patched and re-keyed SSL certs on affected systems. Just like the internal systems, it is important that vendors replace any potentially compromised SSL certificates. Verify that this step was taken by the vendor, if necessary.
    7. Reset passwords or other credentials on any vendor sites. Once the integrity of the vendor systems has been acknowledged, change any credentials that may have been leaked. 

These steps should serve organizations that want to effectively mitigate or prevent the impact of Heartbleed. There may be edge-cases where OpenSSL cannot be patched and another mitigation technique may be warranted. If you have any questions, or need more guidance, please feel free to contact us.