Apr 102014

Heartbleed Advisory & FAQ

Please find below a quick FAQ on the Heartbleed vulnerability and what you can to address it:

UPDATE June 5, 2014: 7 New bugs fixed in OpenSSL

Q. What is the Heartbleed vulnerability and what is its impact?

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This includes pretty much all Apache web servers as well as numerous security devices such as SSL VPNs, load balancers, etc. So even if your web servers are on IIS, you might still be vulnerable due to other infrastructure that includes OpenSSL implementations. At risk is the SSL certificate’s private key and other in-memory secrets/passwords of the affected server. For example, a user’s username and password when logging in to Yahoo! (which is indeed vulnerable right now and so is NASA).

Q. How do I know if I am impacted?

Almost all vulnerability scanners have updated their plugins to check for this issue. Scan all your public facing IP addresses that expose an HTTPS service (websites, SSL VPNs, remote logins, etc.) using the latest updated vulnerability scanner such as Nessus or Qualys. Alternatively, you may use the proof of concept here ssltest.py (http://pastebin.com/WmxzjkXJ)

Or check your site immediately using this: http://filippo.io/Heartbleed/

Q. What should I do to fix the affected systems?

  1. All vendors are releasing patches. Contact your load balancer, VPN, network device, or server vendor for the fix.
  2. If a third-party manages your servers, get them to confirm their actions immediately.
  3. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

Q. If I can’t patch immediately what should I do?

All Web Application Firewalls and Intrusion Prevention Systems have released signatures for this issue. Update your signatures immediately and ensure those are in Block mode. There is an impact to blocking the heartbeat requests of TLS, but that is a performance impact you may be willing to take given the risk exposure that exists until you apply the patch.

Q. How do I know if I have already been compromised?

The vulnerability leaves no trace of exploitation and if you have even a slight clue of having been compromised, do the following:

  1. Patch your systems immediately
  2. Change your SSL certificate
  3. Issue a warning to all customers and ask them to change their passwords immediately
  4. Change all system passwords on the affected server, as the vulnerability also compromises in-memory passwords

Q. How do I get more information?

Use the following links for more information:

  1. The main site with this information http://heartbleed.com/
  2. Wikipedia article on the same http://en.wikipedia.org/wiki/Heartbleed_bug
  3. Vulnerability may have been exploited months before patch http://arstechnica.com/security/2014/04/heartbleed-vulnerability-may-have-been-exploited-months-before-patch/
  4. CERT FI advisory on this https://www.cert.fi/en/reports/2014/vulnerability788210.html
  5. An excellent FAQ http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html
  6. Open SSL advisory on this https://www.openssl.org/news/secadv_20140407.txt
  7. List of popular websites affected http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Q. Where do I find vendor-specific advisories/updates?

If you are an NII customer, feel free to reach out to your designated NII team for more information

K K Mookhey

K. K. Mookhey (PCI QSA, CISA, CISSP, CISM) is the Founder Director at Network Intelligence (www.niiconsulting.com) as well as the Founder of The Institute of Information Security (www.iisecurity.in). He is an internationally well-regarded expert in the field of IT governance, information risk management, forensic fraud investigations, compliance, and business continuity. He has more than a decade of experience in this field, having worked with prestigious clients in India such as the top 4 private bank, the top 4 public sector banks, the top 5 IT companies, and some of the largest industrial conglomerates. Internationally, he has done consulting and audit engagements for United Nations organizations, numerous Banks and manufacturing firms in the Middle East, as well as various government entities. He has published numerous articles, two books, presented at numerous conferences such as Blackhat, OWASP Asia, ISACA, Interop, and Nullcon.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>