Microsoft’s IIS webserver does not use OpenSSL and is not vulnerable, but sites running IIS may be vulnerable if they have other vulnerable systems in front of them providing reverse proxy or load balancing capability. The vulnerability is commonplace among Apache and nginx webservers on Linux and other Unix-like systems, as well as in appliances with web administration interfaces that are based on Unix derivatives that use OpenSSL, including routers and firewalls. Scans of the Internet indicate that over 600,000 servers are vulnerable.
If a vulnerable system is accessible from the Internet, an attacker can cause the system to produce 64K of random memory leakage with each attack, like a game of Russian roulette. What is revealed may include usernames and passwords sent encrypted by a prior user, and potentially even certificate secret keys. Since one can assume that a vulnerable system has given up its other secrets, remediation requires the following steps, in the following order, with the next step taken only upon completion of the prior step:
- Upgrade OpenSSL to a non-vulnerable version (or recompile with the heartbeat functionality disabled, i.e., -DOPENSSL_NO_HEARTBEATS).
- Replace the server certificate with a new one (with a new private key, not just a new signed certificate).
- If users authenticate with passwords through the service, have all users change their passwords.
The common user habit of using the same password everywhere is, once again, something to be discouraged in favor of using a password safe like 1Password, KeePass, or LastPass. LastPass is providing assistance to its users by identifying for many websites which remediation stage they are in from the list above, so users know if it is now safe to change passwords (without potentially exposing the new password).
EarthLink has monitored this vulnerability since it first surfaced, and initiated a significant engineering effort to investigate, test and remediate any potentially affected products or services. Our most popular products, including Cloud Hosting and Exchange, are already patched or verified as unaffected. If you currently utilize any of our fully-managed services, rest assured that we are working to keep your data safe.
List of affected sites and whether you need to change your password:
“Everything You Need to Know About Heartbleed”: http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html
Trend Micro Trendlabs: “Skipping a Heartbeat: The Analysis of the Heartbleed OpenSSL Vulnerability”: http://blog.trendmicro.com/trendlabs-security-intelligence/skipping-a-heartbeat-the-analysis-of-the-heartbleed-openssl-vulnerability/
Ars Technica: “Dear readers, please change your Ars account passwords ASAP”: http://arstechnica.com/security/2014/04/dear-readers-please-change-your-ars-account-passwords-asap/
“Vulnerability Summary for CVE-2014-0160”: https://web.nvd.nist.gov/view/vuln/detail?vulnid=CVE-2014-0160
Testing a website for the Heartbleed Vulnerability:
Qualys SSL Labs: https://www.ssllabs.com/ssltest/analyze.html
If you are an EarthLink customer and would like additional information, please contact support or your account representative.