When we look at concerning security issues, there are always considerations such as how long a vulnerability has existed before it’s been discovered, how pervasive it is or how likely it is to affect a large population of systems, processes, and users, and also how much damage it could do if exploited. If these are combined, you have the trifecta of grave concern in the security community on the “Heartbleed” vulnerability, publicly announced April 7, 2014.
How bad is it? Estimates are over 66% of active websites on the internet may be vulnerable to this bug, found in OpenSSL, an open source cryptographic library used in the Apache web server and ignx when creating communications with users. How much damage can it do if exploited? Think big. Think ‘keys to the kingdom’ big. And how do you know if you’ve been exploited? You don’t – assume you may have. This is definitely run don’t walk material for security professionals.
OpenSSL is used every day in apps, websites, government sites, and even used to transmit encrypted data such as credit card information, passwords, user IDs, etc. This PPI may be leaked from server memory where it’s commonly stored for operations and unfortunately can be exploited through the Heartbleed bug, including security keys used for encryption and decryption of the information.
Furthermore OpenSSL is used to protect for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software. OpenSSL is very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates. Fortunately many large consumer sites could be saved by a conservative choice to use SSL/TLS termination equipment and software.
The exploit relies on a bug in the implementation of OpenSSL’s “heartbeat” feature, hence the “Heartbleed” name (CVE-2014-0160). Security researchers at the firm Codenomicon and Neel Mehta of Google security have discovered reported it to the OpenSSL team. Codenomicon has written an in-depth breakdown of their experience:
“We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”
Heartbleed is not just bad, it’s very, very bad. The bug has been in OpenSSL since December 2011, (OpenSSL versions 1.0.1 through 1.0.1f) – so it’s safe to assume that others have found it and it’s reasonable to assume that it has been exploited by the hacker community for some time. Even worse, it appears that exploiting this bug leaves no trace in the server’s logs. This means that there’s no easy way for a system administrator to know if their servers have been compromised; they just have to assume that they have been.
Here are a few examples of how this exploit could have been used in your environment:
- An attacker can (and possibly already has been) accessing your site/server system’s memory (albeit in 64-byte chunks) and gathering the secret keys used to encrypt and decrypt communications. This means sensitive data would be read just like open text by an attacker – as if no encryption existed at all.
- Once an attacker has the keys they can also mimic a secure website or server, and essentially overcome any browser-built security checks your system may have in place.
- Once the attacker has the keys, they could gather petabytes of encrypted data and easily decrypt it.
Run, don’t walk, to get the information you may need for your environment. OpenSSL released an emergency patch for the bug along with a Security Advisory on April 7, 2014. You should consider applying this patch immediately if you’re using the Apache web server or ignx and OpenSSL. Refer to www.heartbleed.com for useful details you can use.
Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.
And be sure to join us for the webcast Heartbleed Outpatient Care: Steps for Secure Recovery on Thursday, April 17, 2014 1:00 PM EDT/10:00 AM PDT where we will be discussing the need for a robust security strategy for rapid reaction to vulnerabilities and threats.
In this webcast we will examine:
- The Heartbleed vulnerability in detail, how it occurred with examples of how it can be used against your organization
- How you can identify your business exposure and what systems are vulnerable
- How Tripwire’s solutions work together to help you close the detection, remediation and prevention gaps around Heartbleed
See also: How to Detect the Heartbleed OpenSSL Vulnerability in Your Environment
- Interrupting a Cyber Attack in Progress
- Ten Steps for Early Incident Detection
- Restoring Trust After a Data Breach
- How to Perform Early Detection of a Distributed Attack
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock