Revoke, reissue, invalidate: Stat! Security bods scramble to plug up Heartbleed

Paper is safe. Clay tablets too


The startling password-spaffing vulnerability in OpenSSL affects far more than web servers, with everything from routers to smartphones also at risk.

The so-called “Heartbleed” vulnerability (CVE-2014-0160) can be exploited to extract information from the servers running vulnerable version of OpenSSL, and this includes email servers and Android smartphones as well as routers.

Hackers could potentially gain access to private encryption key before using this information to decipher the encrypted traffic to and from vulnerable websites.

Web sites including Yahoo!, Flickr and OpenSSL were among the many left vulnerable to the megabug that exposed encryption keys, passwords and other sensitive information.

Preliminary tests suggested 47 of the 1000 largest sites are vulnerable to Heartbleed and that's only among the less than half that provide support for SSL or HTTPS at all. Many of the affected sites – including Yahoo! – have since patched the vulnerability. Even so, security experts – such as Graham Cluley – remain concerned.

Anatomy of a bug

OpenSSL is a widely used encryption library that is a key component of technology that enables secure (https) website connections.

The bug exists in the OpenSSL 1.0.1 source code and stems from coding flaws in a fairly new feature known as the TLS Heartbeat Extension. "TLS heartbeats are used as 'keep alive' packets so that the ends of an encrypted connection can agree to keep the session open even when they don't have any official data to exchange," explains security veteran Paul Ducklin in a post on Sophos' Naked Security blog.

The Heartbleed vulnerability in the OpenSSL cryptographic library might be exploited to reveal contents of secured communication exchanges. The same flaw might also be used to lift SSL keys.

This means that sites could still be vulnerable to attacks after installing the patches in cases where a private key has been stolen. Sites therefore need to revoke exposed keys, reissue new keys, and invalidate all session keys and session cookies.

Many routers and other forms of networking equipment use OpenSSL to secure mini web servers to run admin interface, leaving networking equipment vulnerable as a result.

Networking giant Cisco was quick to put out put out an advisory.

"Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server," the networking giant explains.

"Cisco is currently investigating its product line to determine which products may be affected by this vulnerability and the impact on the affected product. This advisory will be updated as additional information becomes available."

Smartphones and tablets running Android 4.1.1 are also thought to be vulnerable. One modest bit of good news is that OpenSSH is *not* affected by the OpenSSL bug.

Stem the bleeding

A patch is available in OpenSSL 1.0.1g. Another option for resolving the vulnerability is to recompile the OpenSSL version in use to omit the vulnerable “heartbeat” extension.

Cloud security firm Qualys' SSL Labs service detects the OpenSSL “HeartBleed” vulnerability. Administrators responsible for the security of websites can access the free tool here.

“The HeartBleed vulnerability is easy to exploit and there are already many proof-of-concept tools available that one can use in minutes,” said Ivan Ristic, director of engineering at Qualys and renowned SSL technology expert. “After a successful attack, the attacker can obtain a large chunk of server memory, which can contain server private keys, session keys, passwords and other sensitive data. IT administrators need to map their exposure and install the patched version wherever necessary.”

The vulnerable Heartbleed code – committed at 22:59 on New Years Eve in 2011 – has given the interwebs a long-delayed but truly vile hangover. Questions are already being asked about how it remained undetected for so long and whether the vulnerability has actually been abused in attacks.

"A new feature was launched on the Net's critical attack surface and it wasn't audited immediately," said Dan Kaminsky, a security researcher most famous for discovering a DNS cache poisoning bug back in 2008 – previously considered among the worst internet flaws ever unearthed.

Some are already trying to draw lessons from the mess.

"This issue is a timely reminder that all software can contain security vulnerabilities," wrote Brian Honan, the infosec consultant who founded and heads up the Republic of Ireland's Computer Security Incident Response Team, in an edition of the SANS Institute NewsBites newsletter. "Simply because the source code of Open Source software can be reviewed by anyone does not mean they will know how to look for security vulnerabilities or indeed detect them."

Next page: Triage

Broader topics


Other stories you might like

  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading
  • Supreme Court urged to halt 'unconstitutional' Texas content-no-moderation law
    Everyone's entitled to a viewpoint but what's your viewpoint on what exactly is and isn't a viewpoint?

    A coalition of advocacy groups on Tuesday asked the US Supreme Court to block Texas' social media law HB 20 after the US Fifth Circuit Court of Appeals last week lifted a preliminary injunction that had kept it from taking effect.

    The Lone Star State law, which forbids large social media platforms from moderating content that's "lawful-but-awful," as advocacy group the Center for Democracy and Technology puts it, was approved last September by Governor Greg Abbott (R). It was immediately challenged in court and the judge hearing the case imposed a preliminary injunction, preventing the legislation from being enforced, on the basis that the trade groups opposing it – NetChoice and CCIA – were likely to prevail.

    But that injunction was lifted on appeal. That case continues to be litigated, but thanks to the Fifth Circuit, HB 20 can be enforced even as its constitutionality remains in dispute, hence the coalition's application [PDF] this month to the Supreme Court.

    Continue reading
  • How these crooks backdoor online shops and siphon victims' credit card info
    FBI and co blow lid off latest PHP tampering scam

    The FBI and its friends have warned businesses of crooks scraping people's credit-card details from tampered payment pages on compromised websites.

    It's an age-old problem: someone breaks into your online store and alters the code so that as your customers enter their info, copies of their data is siphoned to fraudsters to exploit. The Feds this week have detailed one such effort that reared its head lately.

    As early as September 2020, we're told, miscreants compromised at least one American company's vulnerable website from three IP addresses: 80[.]249.207.19, 80[.]82.64.211 and 80[.]249.206.197. The intruders modified the web script TempOrders.php in an attempt to inject malicious code into the checkout.php page.

    Continue reading

Biting the hand that feeds IT © 1998–2022