Feeds

Revoke, reissue, invalidate: Stat! Security bods scramble to plug up Heartbleed

Paper is safe. Clay tablets too

Seven Steps to Software Security

The startling password-spaffing vulnerability in OpenSSL affects far more than web servers, with everything from routers to smartphones also at risk.

The so-called “Heartbleed” vulnerability (CVE-2014-0160) can be exploited to extract information from the servers running vulnerable version of OpenSSL, and this includes email servers and Android smartphones as well as routers.

Hackers could potentially gain access to private encryption key before using this information to decipher the encrypted traffic to and from vulnerable websites.

Web sites including Yahoo!, Flickr and OpenSSL were among the many left vulnerable to the megabug that exposed encryption keys, passwords and other sensitive information.

Preliminary tests suggested 47 of the 1000 largest sites are vulnerable to Heartbleed and that's only among the less than half that provide support for SSL or HTTPS at all. Many of the affected sites – including Yahoo! – have since patched the vulnerability. Even so, security experts – such as Graham Cluley – remain concerned.

Anatomy of a bug

OpenSSL is a widely used encryption library that is a key component of technology that enables secure (https) website connections.

The bug exists in the OpenSSL 1.0.1 source code and stems from coding flaws in a fairly new feature known as the TLS Heartbeat Extension. "TLS heartbeats are used as 'keep alive' packets so that the ends of an encrypted connection can agree to keep the session open even when they don't have any official data to exchange," explains security veteran Paul Ducklin in a post on Sophos' Naked Security blog.

The Heartbleed vulnerability in the OpenSSL cryptographic library might be exploited to reveal contents of secured communication exchanges. The same flaw might also be used to lift SSL keys.

This means that sites could still be vulnerable to attacks after installing the patches in cases where a private key has been stolen. Sites therefore need to revoke exposed keys, reissue new keys, and invalidate all session keys and session cookies.

Many routers and other forms of networking equipment use OpenSSL to secure mini web servers to run admin interface, leaving networking equipment vulnerable as a result.

Networking giant Cisco was quick to put out put out an advisory.

"Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server," the networking giant explains.

"Cisco is currently investigating its product line to determine which products may be affected by this vulnerability and the impact on the affected product. This advisory will be updated as additional information becomes available."

Smartphones and tablets running Android 4.1.1 are also thought to be vulnerable. One modest bit of good news is that OpenSSH is *not* affected by the OpenSSL bug.

Stem the bleeding

A patch is available in OpenSSL 1.0.1g. Another option for resolving the vulnerability is to recompile the OpenSSL version in use to omit the vulnerable “heartbeat” extension.

Cloud security firm Qualys' SSL Labs service detects the OpenSSL “HeartBleed” vulnerability. Administrators responsible for the security of websites can access the free tool here.

“The HeartBleed vulnerability is easy to exploit and there are already many proof-of-concept tools available that one can use in minutes,” said Ivan Ristic, director of engineering at Qualys and renowned SSL technology expert. “After a successful attack, the attacker can obtain a large chunk of server memory, which can contain server private keys, session keys, passwords and other sensitive data. IT administrators need to map their exposure and install the patched version wherever necessary.”

The vulnerable Heartbleed code – committed at 22:59 on New Years Eve in 2011 – has given the interwebs a long-delayed but truly vile hangover. Questions are already being asked about how it remained undetected for so long and whether the vulnerability has actually been abused in attacks.

"A new feature was launched on the Net's critical attack surface and it wasn't audited immediately," said Dan Kaminsky, a security researcher most famous for discovering a DNS cache poisoning bug back in 2008 – previously considered among the worst internet flaws ever unearthed.

Some are already trying to draw lessons from the mess.

"This issue is a timely reminder that all software can contain security vulnerabilities," wrote Brian Honan, the infosec consultant who founded and heads up the Republic of Ireland's Computer Security Incident Response Team, in an edition of the SANS Institute NewsBites newsletter. "Simply because the source code of Open Source software can be reviewed by anyone does not mean they will know how to look for security vulnerabilities or indeed detect them."

Mobile application security vulnerability report

Next page: Triage

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.