Vendors and administrators scramble to patch OpenSSL vulnerability

Since news of the OpenSSL bug started to spread on Monday, administrators and vendors have made a mad scramble to patch the Heartbleed bug.

Since news of the OpenSSL bug started to spread on Monday, administrators and vendors have made a mad scramble to patch the Heartbleed bug, named for the flawed implementation of the heartbeat option in the cryptographic library.

On Monday, three researchers from Codenomicon and Neel Mehta (a Google staffer focused on security) detailed the flaw and the various problems it will create.

In short, the flaw allows anyone, anywhere on the Internet, to read the memory of systems implementing the vulnerable versions of OpenSSL in 64kb chunks. Doing so allows them to access information such as secret keys, usernames and passwords, and in some cases, content itself that would normally be protected.

Moreover, there is no limit to the number of 64kb chunks of memory that are accessed, so the attacker can repeat the process as many times as they wish until they get the information they're after.

OpenSSL is used by millions of websites, so the flaw impacts almost everyone. Those not impacted by this two year-old bug are immune either because their websites don't support SSL or they're using outdated versions of OpenSSL; and both options are a problem on their own.

Dwayne Melancon, CTO of Tripwire, told CSO Online that the potential impact for Heartbleed is huge.

"Open SSL is a widely used technology for secure communication over the Internet. In general, that means it was implemented to protect secure data and communications to prevent unauthorized access to information. This vulnerability means attackers can gain access to information, transactions, and other sensitive or valuable data with little restriction - it is very serious."

The flaw has existed for two-years, and there are a number of mitigating factors that would leave website immune to this problem.

At last check, 48 of the Alexia Top 1,000 were vulnerable to Heartbleed issue. Then again, of the 952 domains not vulnerable, 512 of them are safe because they don't support SSL. The other 448 domains listed as not vulnerable are either patched, don't allow the heartbeat option, or they are using an older implementation of OpenSSL.

Those with outdated installs are exposing the website and its users to a number of other potential risks, so the advice from experts is to update to the current version - Heartbleed vulnerability or not.

Don't Panic:

"The important thing to do is take a breath, update your system, and revoke your current SSL Keys and issue new ones. Patching systems is the easy part here - several major vendors, RedHat and Ubuntu included, have already issued updates to their package management systems," Tripwire's Tyler Reguly said.

"If you are concerned that you may have been a target and your keys may have already leaked, revoking your current certificate and issuing a new one is a solid practice that will give you true confidence in all communication going forward. The real risk is the fact that the private keys, once leaked, are leaked forever. If you can get past that, you can get past the entire problem."

Reaching Impact:

In a note to customers, LastPass, the company behind the popular password management software, admitted they were vulnerable to the Heartbleed issue, but that the information stored on their servers wasn't.

"LastPass is unique in that your data is also encrypted with a key that LastPass servers don't have access to. Your sensitive data is never transmitted over SSL unencrypted - it's already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers' encrypted data due to our extra layers of protection."

However, LastPass still encouraged customers to generate new passwords for important websites, just to play it safe. But, the company added that they should wait to do so until after the potentially vulnerable website has changed their certificates.

"Because other websites may not be encrypting data the way LastPass does, we recommend that LastPass users generate new passwords for their most critical sites (such as email, banking, and social networks) if those sites utilize Apache, Nginx or show as vulnerable to the Heartbleed bug. However, users should wait until their sites have replaced their certificates, with a start date after today (April 8th, 2014)."

A good re-cap of the situation, including steps to take and mitigating factors, can be viewed here.

Join the CSO newsletter!

Error: Please check your email address.

Tags vulnerability disclosureOpenSSLvulnerability researchsecurityHTTPSHeartbleedSSLCodenomiconnetwork security

More about ApacheCSOGoogleRedHatTripwireUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place