Vendors and administrators scramble to patch OpenSSL vulnerability
- 09 April, 2014 05:58
Since news of the OpenSSL bug started to spread on Monday, administrators and vendors have made a mad scramble to patch the Heartbleed bug, named for the flawed implementation of the heartbeat option in the cryptographic library.
On Monday, three researchers from Codenomicon and Neel Mehta (a Google staffer focused on security) detailed the flaw and the various problems it will create.
In short, the flaw allows anyone, anywhere on the Internet, to read the memory of systems implementing the vulnerable versions of OpenSSL in 64kb chunks. Doing so allows them to access information such as secret keys, usernames and passwords, and in some cases, content itself that would normally be protected.
Moreover, there is no limit to the number of 64kb chunks of memory that are accessed, so the attacker can repeat the process as many times as they wish until they get the information they're after.
OpenSSL is used by millions of websites, so the flaw impacts almost everyone. Those not impacted by this two year-old bug are immune either because their websites don't support SSL or they're using outdated versions of OpenSSL; and both options are a problem on their own.
Dwayne Melancon, CTO of Tripwire, told CSO Online that the potential impact for Heartbleed is huge.
"Open SSL is a widely used technology for secure communication over the Internet. In general, that means it was implemented to protect secure data and communications to prevent unauthorized access to information. This vulnerability means attackers can gain access to information, transactions, and other sensitive or valuable data with little restriction - it is very serious."
The flaw has existed for two-years, and there are a number of mitigating factors that would leave website immune to this problem.
At last check, 48 of the Alexia Top 1,000 were vulnerable to Heartbleed issue. Then again, of the 952 domains not vulnerable, 512 of them are safe because they don't support SSL. The other 448 domains listed as not vulnerable are either patched, don't allow the heartbeat option, or they are using an older implementation of OpenSSL.
Those with outdated installs are exposing the website and its users to a number of other potential risks, so the advice from experts is to update to the current version - Heartbleed vulnerability or not.
"The important thing to do is take a breath, update your system, and revoke your current SSL Keys and issue new ones. Patching systems is the easy part here - several major vendors, RedHat and Ubuntu included, have already issued updates to their package management systems," Tripwire's Tyler Reguly said.
"If you are concerned that you may have been a target and your keys may have already leaked, revoking your current certificate and issuing a new one is a solid practice that will give you true confidence in all communication going forward. The real risk is the fact that the private keys, once leaked, are leaked forever. If you can get past that, you can get past the entire problem."
In a note to customers, LastPass, the company behind the popular password management software, admitted they were vulnerable to the Heartbleed issue, but that the information stored on their servers wasn't.
"LastPass is unique in that your data is also encrypted with a key that LastPass servers don't have access to. Your sensitive data is never transmitted over SSL unencrypted - it's already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers' encrypted data due to our extra layers of protection."
However, LastPass still encouraged customers to generate new passwords for important websites, just to play it safe. But, the company added that they should wait to do so until after the potentially vulnerable website has changed their certificates.
"Because other websites may not be encrypting data the way LastPass does, we recommend that LastPass users generate new passwords for their most critical sites (such as email, banking, and social networks) if those sites utilize Apache, Nginx or show as vulnerable to the Heartbleed bug. However, users should wait until their sites have replaced their certificates, with a start date after today (April 8th, 2014)."
A good re-cap of the situation, including steps to take and mitigating factors, can be viewed here.