There is a new critical vulnerability affecting a widely used version of OpenSSL called HeartBleed (CVE-2014-0160).

This new bug allows an attacker to read system memory remotely, without authentication. It has been reported that 60-70% of the Internet is affected. Immediate action should be taken to identify vulnerable systems within your environment and take necessary steps to mitigate risk associated with this critical vulnerability.

Impact

An attacker is able to exploit this vulnerability to read system memory, which can include confidential and/or sensitive data such as usernames and passwords, crypto keys, customer data, etc. Our engineers have successfully exploited this vulnerability within our testing environment, and exploit code is already publicly available.

Affected OpenSSL Versions

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable.
  • OpenSSL 1.0.1g is NOT vulnerable.
  • OpenSSL 1.0.0 branch is NOT vulnerable.
  • OpenSSL 0.9.8 branch is NOT vulnerable.

Verification

We will be posting a tool this week that will allow large organizations to scan their systems without using untrusted third-party scripts. Unlike verification services available on the Internet today, which offer one-off hostname server verification testing (of a single system), our tool is designed to provide full verification coverage for the HeartBleed bug across your entire environment.

Update: We released the HeartBleed exploit code. Review our simple mobile banking exploit example or contact Praetorian to request your copy of the Heartbleed exploit code.

It is important to verify that updating OpenSSL has fully resolved the issue.  Sometimes, services may need to be restarted, which can easily be missed by OPs teams. Therefore, scanning the environment before and after systems have been patched is the preferred approach to ensure issues have been properly resolved.

Recommendations

It is critical that you upgrade OpenSSL to the latest version. Note that services based on SSL may need to be restarted for the fix to take effect.

Additionally, you should consider the following steps:

  • Revoke and replace existing key pairs.
  • Change all passwords.
  • Invalidate all session keys and cookies.
  • Evaluate the actual content handled by the vulnerable servers that could have been leaked, and react accordingly.
  • Evaluate any other information that could have been revealed, like memory addresses and security measures.
  • Consider enabling and implementing perfect forward secrecy.

References