Home > Network & Security Outsourcing > OpenSSL heartbeat vulnerability, “Heartbleed,” leads to random memory exposures
OpenSSL heartbeat vulnerability, “Heartbleed,” leads to random memory exposures

OpenSSL heartbeat vulnerability, “Heartbleed,” leads to random memory exposures

heartbleed

Microsoft’s IIS webserver does not use OpenSSL and is not vulnerable, but sites running IIS may be vulnerable if they have other vulnerable systems in front of them providing reverse proxy or load balancing capability.  The vulnerability is commonplace among Apache and nginx webservers on Linux and other Unix-like systems, as well as in appliances with web administration interfaces that are based on Unix derivatives that use OpenSSL, including routers and firewalls.  Scans of the Internet indicate that over 600,000 servers are vulnerable.

If a vulnerable system is accessible from the Internet, an attacker can cause the system to produce 64K of random memory leakage with each attack, like a game of Russian roulette.  What is revealed may include usernames and passwords sent encrypted by a prior user, and potentially even certificate secret keys.  Since one can assume that a vulnerable system has given up its other secrets, remediation requires the following steps, in the following order, with the next step taken only upon completion of the prior step:

  1. Upgrade OpenSSL to a non-vulnerable version (or recompile with the heartbeat functionality disabled, i.e., -DOPENSSL_NO_HEARTBEATS).
  2. Replace the server certificate with a new one (with a new private key, not just a new signed certificate).
  3. If users authenticate with passwords through the service, have all users change their passwords.

The common user habit of using the same password everywhere is, once again, something to be discouraged in favor of using a password safe like 1Password, KeePass, or LastPass.  LastPass is providing assistance to its users by identifying for many websites which remediation stage they are in from the list above, so users know if it is now safe to change passwords (without potentially exposing the new password).

EarthLink has monitored this vulnerability since it first surfaced, and initiated a significant engineering effort to investigate, test and remediate any potentially affected products or services.  Our most popular products, including Cloud Hosting and Exchange, are already patched or verified as unaffected.  If you currently utilize any of our fully-managed services, rest assured that we are working to keep your data safe.

Additional Reading:

List of affected sites and whether you need to change your password:

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

“Everything You Need to Know About Heartbleed”: http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html

Trend Micro Trendlabs: “Skipping a Heartbeat: The Analysis of the Heartbleed OpenSSL Vulnerability”: http://blog.trendmicro.com/trendlabs-security-intelligence/skipping-a-heartbeat-the-analysis-of-the-heartbleed-openssl-vulnerability/

Ars Technica: “Dear readers, please change your Ars account passwords ASAP”: http://arstechnica.com/security/2014/04/dear-readers-please-change-your-ars-account-passwords-asap/

“Vulnerability Summary for CVE-2014-0160”: https://web.nvd.nist.gov/view/vuln/detail?vulnid=CVE-2014-0160

Testing a website for the Heartbleed Vulnerability:
Qualys SSL Labs: https://www.ssllabs.com/ssltest/analyze.html

 

If you are an EarthLink customer and would like additional information, please contact support or your account representative.

 

About EarthLink Blogger

EarthLink Blogger
For more than 20 years, EarthLink has revolved around how to efficiently connect our customers with technology. Today, we are committed to making our customers’ customers happy with the technology foundation that underpins an exceptional experience. We have numerous industry and technology experts on staff at EarthLink, and each not only has extensive knowledge and experience in their field of expertise, but also a passion for ensuring EarthLink remains true to that commitment. They also enjoy sharing insights into the latest technology innovations in the hopes of informing and helping to reduce the burden on IT professionals.