Heartbleed Open SSL Bug FAQ & Advisory

Heartbleed Advisory & FAQ

Please find below a quick FAQ on the Heartbleed vulnerability and what you can to address it:

UPDATE June 5, 2014: 7 New bugs fixed in OpenSSL

Q. What is the Heartbleed vulnerability and what is its impact?

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This includes pretty much all Apache web servers as well as numerous security devices such as SSL VPNs, load balancers, etc. So even if your web servers are on IIS, you might still be vulnerable due to other infrastructure that includes OpenSSL implementations. At risk is the SSL certificate’s private key and other in-memory secrets/passwords of the affected server. For example, a user’s username and password when logging in to Yahoo! (which is indeed vulnerable right now and so is NASA).

Q. How do I know if I am impacted?

Almost all vulnerability scanners have updated their plugins to check for this issue. Scan all your public facing IP addresses that expose an HTTPS service (websites, SSL VPNs, remote logins, etc.) using the latest updated vulnerability scanner such as Nessus or Qualys. Alternatively, you may use the proof of concept here ssltest.py (http://pastebin.com/WmxzjkXJ)

Or check your site immediately using this: http://filippo.io/Heartbleed/

Q. What should I do to fix the affected systems?

All vendors are releasing patches. Contact your load balancer, VPN, network device, or server vendor for the fix.
If a third-party manages your servers, get them to confirm their actions immediately.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

Q. If I can’t patch immediately what should I do?

All Web Application Firewalls and Intrusion Prevention Systems have released signatures for this issue. Update your signatures immediately and ensure those are in Block mode. There is an impact to blocking the heartbeat requests of TLS, but that is a performance impact you may be willing to take given the risk exposure that exists until you apply the patch.

Q. How do I know if I have already been compromised?

The vulnerability leaves no trace of exploitation and if you have even a slight clue of having been compromised, do the following:

Patch your systems immediately
Change your SSL certificate
Issue a warning to all customers and ask them to change their passwords immediately
Change all system passwords on the affected server, as the vulnerability also compromises in-memory passwords

Q. How do I get more information?

Use the following links for more information:

The main site with this information http://heartbleed.com/
Wikipedia article on the same http://en.wikipedia.org/wiki/Heartbleed_bug
Vulnerability may have been exploited months before patch http://arstechnica.com/security/2014/04/heartbleed-vulnerability-may-have-been-exploited-months-before-patch/
CERT FI advisory on this https://www.cert.fi/en/reports/2014/vulnerability788210.html
An excellent FAQ http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html
Open SSL advisory on this https://www.openssl.org/news/secadv_20140407.txt
List of popular websites affected http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Q. Where do I find vendor-specific advisories/updates?

OpenSSL http://www.openssl.org/news/secadv_20140407.txt
RedHat https://access.redhat.com/security/cve/CVE-2014-0160
UBUNTU http://www.ubuntu.com/usn/usn-2165-1/
Cisco http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
CheckPoint https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100173
Novell http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623
Fortiguard http://www.fortiguard.com/advisory/FG-IR-14-011/
ArubaNetwork http://www.arubanetworks.com/support/alerts/aid-040814.asc
Google http://googleonlinesecurity.blogspot.in/2014/04/google-services-updated-to-address.html
IBM https://www-304.ibm.com/connections/blogs/PSIRT/entry/openssl_heartbleed_cve_2014_0160?lang=en_gb
Debian http://www.debian.org/security/2014/dsa-2896
Slackware http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.533622
VMware http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225
Oracle http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html
Google http://googleonlinesecurity.blogspot.in/2014/04/google-services-updated-to-address.html
Siemens http://www.siemens.com/innovation/en/technology-focus/siemens-cert/cert-security-advisories.htm
WordPress https://en.blog.wordpress.com/2014/04/15/security-update/
BlackBerry Click Here

If you are an NII customer, feel free to reach out to your designated NII team for more information

K K Mookhey

K. K. Mookhey (CISA, CISSP) is the Founder & CEO of Network Intelligence (www.niiconsulting.com) as well as the Founder of The Institute of Information Security (www.iisecurity.in). He is an internationally well-regarded expert in the field of cybersecurity and privacy. He has published numerous articles, co-authored two books, and presented at Blackhat USA, OWASP Asia, ISACA, Interop, Nullcon and others.