Revoke, reissue, invalidate: Stat! Security bods scramble to plug up Heartbleed

Paper is safe. Clay tablets too


The startling password-spaffing vulnerability in OpenSSL affects far more than web servers, with everything from routers to smartphones also at risk.

The so-called “Heartbleed” vulnerability (CVE-2014-0160) can be exploited to extract information from the servers running vulnerable version of OpenSSL, and this includes email servers and Android smartphones as well as routers.

Hackers could potentially gain access to private encryption key before using this information to decipher the encrypted traffic to and from vulnerable websites.

Web sites including Yahoo!, Flickr and OpenSSL were among the many left vulnerable to the megabug that exposed encryption keys, passwords and other sensitive information.

Preliminary tests suggested 47 of the 1000 largest sites are vulnerable to Heartbleed and that's only among the less than half that provide support for SSL or HTTPS at all. Many of the affected sites – including Yahoo! – have since patched the vulnerability. Even so, security experts – such as Graham Cluley – remain concerned.

Anatomy of a bug

OpenSSL is a widely used encryption library that is a key component of technology that enables secure (https) website connections.

The bug exists in the OpenSSL 1.0.1 source code and stems from coding flaws in a fairly new feature known as the TLS Heartbeat Extension. "TLS heartbeats are used as 'keep alive' packets so that the ends of an encrypted connection can agree to keep the session open even when they don't have any official data to exchange," explains security veteran Paul Ducklin in a post on Sophos' Naked Security blog.

The Heartbleed vulnerability in the OpenSSL cryptographic library might be exploited to reveal contents of secured communication exchanges. The same flaw might also be used to lift SSL keys.

This means that sites could still be vulnerable to attacks after installing the patches in cases where a private key has been stolen. Sites therefore need to revoke exposed keys, reissue new keys, and invalidate all session keys and session cookies.

Many routers and other forms of networking equipment use OpenSSL to secure mini web servers to run admin interface, leaving networking equipment vulnerable as a result.

Networking giant Cisco was quick to put out put out an advisory.

"Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server," the networking giant explains.

"Cisco is currently investigating its product line to determine which products may be affected by this vulnerability and the impact on the affected product. This advisory will be updated as additional information becomes available."

Smartphones and tablets running Android 4.1.1 are also thought to be vulnerable. One modest bit of good news is that OpenSSH is *not* affected by the OpenSSL bug.

Stem the bleeding

A patch is available in OpenSSL 1.0.1g. Another option for resolving the vulnerability is to recompile the OpenSSL version in use to omit the vulnerable “heartbeat” extension.

Cloud security firm Qualys' SSL Labs service detects the OpenSSL “HeartBleed” vulnerability. Administrators responsible for the security of websites can access the free tool here.

“The HeartBleed vulnerability is easy to exploit and there are already many proof-of-concept tools available that one can use in minutes,” said Ivan Ristic, director of engineering at Qualys and renowned SSL technology expert. “After a successful attack, the attacker can obtain a large chunk of server memory, which can contain server private keys, session keys, passwords and other sensitive data. IT administrators need to map their exposure and install the patched version wherever necessary.”

The vulnerable Heartbleed code – committed at 22:59 on New Years Eve in 2011 – has given the interwebs a long-delayed but truly vile hangover. Questions are already being asked about how it remained undetected for so long and whether the vulnerability has actually been abused in attacks.

"A new feature was launched on the Net's critical attack surface and it wasn't audited immediately," said Dan Kaminsky, a security researcher most famous for discovering a DNS cache poisoning bug back in 2008 – previously considered among the worst internet flaws ever unearthed.

Some are already trying to draw lessons from the mess.

"This issue is a timely reminder that all software can contain security vulnerabilities," wrote Brian Honan, the infosec consultant who founded and heads up the Republic of Ireland's Computer Security Incident Response Team, in an edition of the SANS Institute NewsBites newsletter. "Simply because the source code of Open Source software can be reviewed by anyone does not mean they will know how to look for security vulnerabilities or indeed detect them."

Next page: Triage

Similar topics


Other stories you might like

  • Why Cloud First should not have to mean Cloud Everywhere

    HPE urges 'consciously hybrid' strategy for UK public sector

    Sponsored In 2013, the UK government heralded Cloud First, a ground-breaking strategy to drive cloud adoption across the public sector. Eight years on, and much of UK public sector IT still runs on-premises - and all too often - on obsolete technologies.

    Today the government‘s message boils down to “cloud first, if you can” - perhaps in recognition that modernising complex legacy systems is hard. But in the private sector today, enterprises are typically mixing and matching cloud and on-premises infrastructure, according to the best business fit for their needs.

    The UK government should also adopt a “consciously hybrid” approach, according to HPE, The global technology company is calling for the entire IT industry to step up so that the public sector can modernise where needed and keep up with innovation: “We’re calling for a collective IT industry response to the problem,” says Russell MacDonald, HPE strategic advisor to the public sector.

    Continue reading
  • A Raspberry Pi HAT for the Lego Technic fan

    Sneaking in programming under the guise of plastic bricks

    There is good news for the intersection of Lego and Raspberry Pi fans today, as a new HAT (the delightfully named Hardware Attached on Top) will be unveiled for the diminutive computer to control Technic motors and sensors.

    Using a Pi to process sensor readings and manage motors has been a thing since the inception of the computer, and users (including ourselves) have long made use of the General Purpose Input / Output (GPIO) pins that have been a feature of the hardware for all manner of projects.

    However, not all users are entirely happy with breadboards and jumpers. Lego, familiar to many a builder thanks to lines such as its Mindstorms range, recently introduced the Education SPIKE Prime set, aimed at the classroom.

    Continue reading
  • Reg scribe spends week being watched by government Bluetooth wristband, emerges to more surveillance

    Home quarantine week was the price for an overseas trip, ongoing observation is the price of COVID-19

    Feature My family and I recently returned to Singapore after an overseas trip that, for the first time in over a year, did not require the ordeal of two weeks of quarantine in a hotel room.

    Instead, returning travelers are required to stay at home, wear a government-issued tracking device, and stay within range of a government-issued Bluetooth beacon at all times for a week … or else. No visitors are allowed and only a medical emergency is a ticket out. But that sounded easy compared to the hotel quarantine we endured in 2020.

    Continue reading

Biting the hand that feeds IT © 1998–2021