Heartbleed Security Bug: Vulnerability in OpenSSL discovered
On 7 April 2014, a serious flaw in OpenSSL was announced (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160). OpenSSL is a toolkit that implements that the Secure Sockets Layer and Transport Layer Security protocols. It is widely used to implement security and privacy in web servers (including the most popular web server, Apache), virtual private networks, email servers, and is even in anonymising tools like Tor.
What is Heartbleed?
The vulnerability has been dubbed Heartbleed because it exploits a flaw in the implementation of the heartbeat mechanism. It should be stressed that the vulnerability is a result of a flaw in the implementation, not a flaw in the protocol. The flawed implementation (which exists in version 1.0.1 through to release 1.0.1f) allows an attacker to remotely force the disclosure of potentially sensitive information (such as private keys, passwords, and so on). Whilst it is tempting to succumb to the “alarm fatigue” that inevitably occurs from yet another security vulnerability announcement, this one really is serious. It can affect you in two ways: you may have connected to services (such as third-party web sites) that leaked information about you (such as passwords and other sensitive information) to a remote attacker; and, any web-facing services for which you are responsible must be audited to determine if they are vulnerable. And, to make matters worse, because of the stealthy nature of the attack there will be no tell-tale signs if you’re a victim.
The Heartbleed vulnerability highlights just how difficult it is to produce secure software. It’s not a stretch to say that some vendors (whose products have played second fiddle to Internet powerhouses like the Apache web server) have revelled in the announcement that such a critical flaw has been detected in open source software. The OpenSSL package has been thoroughly scrutinised but, still, this flaw exists. Perhaps even more sobering is that the flaw has been there for more than two years. This raises the question of whether others have known about and exploited this flaw long before this announcement?
Tesserent platform unaffected by OpenSSL issue Heartbleed
Importantly, no software used by Tesserent in the delivery of our managed services is vulnerable to this attack. However, if you are providing any services that include the vulnerable versions of OpenSSL, you should upgrade them immediately to OpenSSL 1.0.1g, which was released on 7 April 2014. You should also consider re-issuing the keys used by these services, invalidating any sessions cookies in use, and suggest to your users that they change their passwords where applicable.
Where possible, Tesserent provides protection against critical flaws in our customers’ infrastructure by detecting them and blocking them before they reach their targets. In this case, the task is made more difficult because the attack occurs over an encrypted connection. However, Tesserent’s reverse proxy service can mitigate this by providing a secure termination point in front of our customers’ web servers. If you would like to discuss whether this service would be of benefit to you, please contact our NOC (http://support.tesserent.com) for assistance.