Reflecting on Heartbleed
May 9th, 2014Operational Security
Posted on May 9th, by Rob Dartnell
So what was all the fuss about with Heartbleed?
Well, to put it simply, with the right type of request, certain implementations of the widely used OpenSSL suite were leaking sensitive data stored in memory. The vulnerable version of OpenSSL was found to be OpenSSL version 1.0.1 up to and including 1.0.1f, and 1.0.2-beta1.
On the 8th April 2014, a security advisory was released stating that a missing bounds check within openssl could be used to reveal up to 64bits of data stored in memory. The vulnerability was coined Heartbleed, as it was the heartbeat function that did not correctly validate the payload length of the request, causing the data leakage from adjacent memory blocks.
It was at this point that countless web servers across the globe were identified immediately as vulnerable, and over the coming days IT/network admins were frantically doing all they could to plug the hole.
What does this mean to my business now?
Being such a high profile security vulnerability as this, it is likely that the diligent IT admins have already patched the necessary systems that were vulnerable. If unsure, there are numerous online tools available to check whether a server is still vulnerable or not. The patching process is quite simple in most cases, requiring a couple of commands to update the necessary packages, and restarting the web service.
However, the more time your servers were vulnerable following the release of the original advisory, the higher the risk that vital private information was leaked. Moreover, any sensitive data that was obtained would leave no trace in any of the server logs.
What Pure Hacking recommends.
The more frequented your site is, the more importance you should place on the following steps, as malicious users tend to target the more popular sites:
1. To start with, generate new SSL certificates and encryption keys, and revoke your old SSL certificates. This steps protects your site from malicious users that may have obtained the server's private key information. With the private key information in hand, the malicious user may be able to decrypt secure communications, or create bogus certificates to the site and entice an unsuspecting user to their malicious site.
2. Consider reseting account credentials, if it is believed that some credential information may have been stored in memory, such as in cleartext logins via a web frontend.
3. Perform a full scale investigation of all other network devices that may be at risk. Note that Heartbleed does not only apply to web servers, but also many other types of systems including VPN, virtual machines, network devices and other systems that utilise openssl.