Heartbleed – OpenSSL Vulnerability

by David Lover | Arrow Systems Integration

You’d have to be living under a rock this week to not have heard about Heartbleed, a discovered vulnerability, technically known as CVE-2014-0160. This is a really big deal. So, I thought I would take some time to explain it, to talk a little about how it affects us as a reseller/integrator of web-based products, as well as each of us as individuals that might need to take action.

Developers rarely write software 100% from scratch. They often buy or license proprietary libraries from other developers, or use open-source software libraries written by the open-source community. Heartbleed is a bug that affects one such library. OpenSSL, is an open-source software library of encryption and cryptographic functions for things like SSL and TLS. OpenSSL uses keep-alive messages called “heartbeat extensions”, which are used to check to see that the connection between two servers or devices is still alive. It was announced earlier this week that OpenSSL has memory handling vulnerability could expose up to 64 Kilobytes of data with each of these heartbeat (hence the name heartbleed). This data could contain sensitive information, possibly including the server’s “private master key”, that could be used by a hacker to access encrypted files or even eavesdrop into a data conversation using the “Man in the Middle” attack. I covered that topic in my Tech Weekly back in November 2012. If you need a refresher, shoot me an email and I’ll forward you a copy.

This OpenSSL library has been very popular over the last few years. It’s in use in a lot of websites and web based applications. I did some initial checking on some of the servers and applications that we deal with. I started internally and asked our own developers if we are exposed. This is by no means a complete list, but they said that, generally, our internally developed IT apps mostly run Java on Tomcat servers and our Prism Products apps generally run on IIS. These aren’t using OpenSSL, so they are not affected. Beverly Johnston did however just send out an email this morning saying that the Juniper SSL VPN that we use, did have the vulnerability. It has been patched, but will require a new download to fix it. So, follow the instructions in that email to fix it. What about products that we sell? I tend to focus on the Avaya business, so I reached out to them to see what issues they might have. Things looked really good there. I’m only seeing one possible vulnerability, and it is with a product the Avaya Communicator for Android 2.0 that just went GA a few weeks ago. Everything looks good where Avaya is providing both the application and the OS that the app runs on (which is the bulk of their applications). But there are “software only” solutions that the customer installs onto their own servers (with customer-installed Operating Systems). The responsibility is on the customer to understand their server environment. Avaya’s official statement can be found here. https://downloads.avaya.com/css/P8/documents/100179670. Note that this seems to be an evolving document, as I’ve already noticed it has changed considerably since earlier this week. If you have specific questions about other manufacturers, you should check with them directly. For fun, go take a look at Cisco’s list of affected products (http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed).

What about for you personally? This actually seems to be where I’m seeing the most pain. There are a ton of “consumer” websites that have been affected. While many of them have already been patched, YOU still need to take action by going to the previously affected sites and changing your password. The time between when the vulnerability was publicly exposed and when the website administrators patched it, is when every hacker in the world started going after and collecting as many passwords as they could. You need to go change your passwords. Seriously. Not kidding. Here is a site that I’ve been watching to see how the 100 most popular sites are coming along in their patching. http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/. There are also some sites that will test other sites to see if they are vulnerable. I’ve had better luck with this one http://filippo.io/Heartbleed/. Others have recommended https://www.ssllabs.com/ssltest/. If you tend to create really crappy passwords (using your kid’s names, pet’s names, birthdays, anniversaries, etc), now would be a great time to rethink your password creation strategy. A quick Google search came up with this article that has some really great advice. http://en.support.wordpress.com/selecting-a-strong-password/. So, give it a read and if you haven’t done this yet, plan to spend this weekend changing all your passwords for your personal accounts.

Share this article

The thoughts and opinions in these blogs belong to the individual blogger and do not necessarily represent the views or opinions of Arrow Systems Integration.