An IT security and compliance company has warned customers to patch a web server software vulnerability that could be used to expose web user credentials and eavesdrop on communications.
Dubbed “Heartbleed,” the vulnerability compromises encryption between users and web servers using older versions of OpenSSL, allowing system memory to be read by outsiders and exposing user names, passwords, cookies, emails and private business documents. OpenSSL is used by millions of websites worldwide to encrypt sensitive communications such as login details and protect against man in the middle attacks. Online attackers could exploit the Heartbleed bug to view the content of communications between users and web servers, as well as impersonating the web service, or users.
RandomStorm says that its security engineers have lab tested the vulnerability of OpenSSL versions 1.0.1 through to version 1.0.1f and have confirmed that they were able to see passwords from the webserver memory under test. A patch was released by OpenSSL on April 7; and RandomStorm is urging all of its customers heed the warnings and to update to the latest version: OpenSSL 1.0.1g or newer.
Andrew Mason, Technical Director at RandomStorm said, “The Heartbleed vulnerability affects the OpenSSL Version 1.0.1 through 1.0.1f inclusive. Exploitation of these older versions of OpenSSL allows an attacker to read the running memory of the vulnerable host. RandomStorm tests for this vulnerability on all external infrastructure and Web application assessments. We have confirmed that information such as usernames, passwords, cookies and even private SSL keys can be remotely obtained by exploiting this vulnerability in older versions of OpenSSL. We are advising all of our customers to immediately update any servers running OpenSSL to version 1.0.1g or newer. If it is not possible to apply the patch, then OpenSSL should be recompiled with the -DOPENSSL_NO_HEARTBEATS option.”
Philip Lieberman, President of Lieberman Software Corporation, commented: “This is really serious and a big blow to the credibility of open source. This is very bad, and the consequences are very scary now that it has been disclosed. The fact that this code is on home and commercial Internet-connected devices on a global scale means that the internet is a different place today. Network-connected devices often run a basic Web server to let an administrator access online control panels. In many cases, these servers are secured using OpenSSL and their software will need updating. However, this is unlikely to be a priority. The manufacturers of these devices will not release patches for the vast majority of their devices, and consumers will patch an insignificant number of devices.
“Cable boxes and home Internet routers are just two of the major classes of devices likely to be affected. ISPs now have millions of these devices with this bug in them.”
Detailed information about this vulnerability is available from http://heartbleed.com/ and the official US NIST website – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
See also https://blog.kaspersky.com/heartbleed-howto/
Likewise Roland Dobbins, senior analyst at Arbor Networks Security Engineering & Response Team (ASERT), described it as an extremely serious situation which highlights the manual nature of the tasks required to secure critical internet services such as basic encryption and privacy protection.
“There are no automated safeguards which can ameliorate these issues. And what most people don’t realize is that if attackers captured packets in the past from vulnerable systems and retained those captured packets, they’ve the opportunity now to use analysis tools to replay those packets and decrypt the Internet traffic contained in those packets. In terms of remediation, there’s a huge amount of work which must be done, not only for servers, but for load-balancers, reverse proxies, VPN concentrators, various types of embedded devices, etc. Applications which were statically compiled against vulnerable versions of the underlying OpenSSL libraries must be re-complied; private keys must be invalidated, re-generated, and re-issued; certificates must be invalidated, re-generated, and re-issued – and there are a whole host of problems and operational challenges associated with these vital procedures.
“A key lesson here is that OpenSSL, which is a vital component of the confidentiality and integrity of uncounted systems and applications and sites across the Internet, is an underfunded, volunteer-run project which is desperately in need of major sponsorship and attendant allocation of resources. And serious questions have been raised regarding the notification process surrounding this vulnerability. The operational community at large have voiced serious disapproval surrounding the early notification of a single content delivery network (CDN) provider, while operating system vendors and distribution providers, not to mention the governmental and financial sectors, were left in the dark and discovered this issue only after it was publicly disclosed via a marketing-related weblog post by the CDN vendor in question. It has been suggested that the responsible disclosure best practices developed and adopted by the industry over the last decade were in fact bypassed in this case, and concerns have been voiced regarding the propriety and integrity of the disclosure process in this instance.”
And Tony Caine, VP and General Manager, APJ & EMEA, HP Enterprise Security Products, said: “The ‘heartbleed bug’ seems to exploit a tiny error, overlooked in the original coding. This shows just how important it is for due process and care to be taken in the development stages of new software. It also once again demonstrates that traditional perimeter security is dead and that security breaches are inevitable – organisations need to realise this and allocate resource to finding and containing threats once they have gained access to the system. In 2013 on average threats went undiscovered for 243 days – a huge amount of time. In research we commissioned we found that on average companies which invested in detecting and containing attacks saved about $4 million per year in potential costs as a result of cyber crime. Additionally it’s essential to stress the importance of organisations regularly patching software in order to mitigate threats and encourage users to do so as soon as possible.”
About RandomStorm
The firm provides vulnerability scanning and intrusion detection products and penentration testing services to help companies to improve and continually maintain their security posture. The company is a CESG CHECK
