Monthly Archive April 2014

Heartbleed – and the Surecloud Response

We have received the following from SureCloud, one of our business partners.

For those who may not have picked it up elsewhere (noting it has been created by SureCloud) and may be of interest to those using the SureCloud Portal.

…………………………

The Heartbleed OpenSSL Vulnerability (CVE-2014-0160) was released on April 7th 2014. We are contacting all SureCloud customers due to the global and widespread nature of this issue.
What is Heartbleed?

Heartbleed is a vulnerability (bug) within the Heartbeat extension for the popular OpenSSL package and is compiled by default in within a number of Unix/Linux distributions. The vulnerability affects a component of this extension and if successfully exploited can reveal data in memory on the target host. This could include sensitive private keys and/or sensitive information such as user passwords or other data in a decrypted state.

Is it exploitable?

SureCloud have been monitoring industry attention to this issue. We are seeing proof-of-concept (POC) exploits circulating and this vulnerability being actively targeted by attackers.

Versions of OpenSSL affected / not affected

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.2-beta1 is vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

Are SureCloud vulnerable?

SureCloud have an active detection already in-place within our on-demand and PCI ASV scanners so existing customers can avail of this detection capability right away. This will be flagged as vulnerability ID 73404 – OpenSSL 1.0.1 < 1.0.1g Multiple Vulnerabilities. We encourage all customers to run scans against any systems running OpenSSL as soon as possible, particularly those exposed to the public internet.

Ensure that any service that uses OpenSSL is patched/checked, this should include Email services, Web Services, Database Services, VPN Services and those supplied by third-parties (such as mail filtering or VPN appliances).  Individual vendors may have released their own advisories.

For any customer without SureCloud’s on-demand Internal/External or PCI ASV scanning capability or for those that would like immediate verification of whether their external facing systems are vulnerable. Please kindly submit a support ticket, listing the external IP addresses and ports with OpenSSL running on which you would like verified to whether or not the target system/s are vulnerable. SureCloud have manual verification tools setup, configured and ready to test this vulnerability on an individual basis (rather than running a full vulnerability scan).

All client facing systems, internal/external services and third parties services which SureCloud utilise within their infrastructure have been verified and found not to be vulnerable due to the system hardening that we employ. Even so, as per best practice all of SureCloud systems and services have been patched to OpenSSL 1.0.1g where applicable as a precautionary step.

How can we protect our systems?

SureCloud would strongly recommend that any customers running OpenSSL patch their systems to version 1.0.1g (released on April 7th) as soon as possible. If running 1.0.2-beta1 a patch isn’t currently available, 1.0.2-beta2 will resolve this vulnerability.

Where a system cannot be patched, OpenSSL should be re-compiled with the Heartbeat handshake disabled (-DOPENSSL_NO_HEARTBEATS).

Due to the nature of this attack, detection of prior exploitation is extremely difficult to verify. Therefore, it would be strongly recommended that where OpenSSL is in use, SSL certificates are revoked, re-issued/re-generated and replaced. Ensuring also that any systems passwords are changed also.

Further Reading

Further information regarding this vulnerability can be found here:-

http://heartbleed.com – Site dedicated to explaining this vulnerability in further detail

https://www.openssl.org/ – OpenSSL official site

http://www.darkreading.com/informationweek-home/emergency-ssl-tls-patching-under-way/d/d-id/1204282 – Dark Reading

http://www.ubuntu.com/usn/usn-2165-1/  – Ubuntu Site

http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/ – ARSTechnica

Should you have any questions or concerns regarding this or any other matter then please get in touch.

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

SRM Blog

SRM Blog