The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. Find below thoughts and advice from Kaspersky Lab, AlienVault, Alert Logic and Lieberman Software:
David Emm, Senior Security Researcher at Kaspersky Lab:
The impact of the ‘Heartbleed’ vulnerability is potentially very far-reaching. OpenSSL is widely-used to secure Internet-based communications, including web, e-mail, IM and VPN. If exploited, this vulnerability would allow an attacker to read the memory of vulnerable systems and intercept sensitive information – including, but not limited to, usernames and passwords.
The onus is on providers of online services, network appliances and products that make use of the OpenSSL library to ensure that they have applied the fix, thereby ensuring secure communications – but what can you do if you’re a consumer?
1. Check if the site of an online provider you use is vulnerable now, using this tool http://filippo.io/Heartbleed/.
2. Check to see if it was vulnerable before by looking through this list of sites https://github.com/musalbas/heartbleed-masstest/blob/94cd9b6426311f0d20539e696496ed3d7bdd2a94/top1000.txt. Or you could contact the provider to ask them.
3. If the site was vulnerable, but has now been fixed, change the password you use to access the site. This should be done after the site has been fixed – otherwise your new password can be compromised too. If you have been using the same password on other sites (which is never a good idea!), make sure you also change your password on those sites.
4. Make sure the site is using a new security certificate – one issued on 8 April or later. You can find an explanation of how to do this here http://blog.kaspersky.com/heartbleed-howto/.
Jaime Blasco, Director for AlienVault Labs:
“The ‘Heartbleed’ bug has epic repercussions since it affects one of the cryptographic suites that is used to run critical services on the Internet (OpenSSL 1.0.1). The bug permits an attacker to receive the contents of the server’s memory, leading to compromise of critical information such as the digital keys that can be later used to decrypt communications or impersonate the real server.
By obtaining the memory of the server you can also access data such as username/passwords and even portions of the source code of the application running. The attack can be also combined with a Man-in-the-Middle attack to obtain credentials from the client before the server perform authentication.
We have tested the vulnerability with different websites on the Internet, as an example Yahoo.com is vulnerable to the attack.
To be sure that attackers won’t be able to use compromised data, affected providers have to replace the private keys and certificates after patching the vulnerable OpenSSL service for each of the services that are using the OpenSSL library.”
Stephen Coty, Chief Security Evangelist for Alert Logic:
“This highlights the importance of patching as soon as a vulnerability is announce as long as a patch is available which in this case took OpenSSL a few years to get out.
A very serious bug was found in OpenSSL. A patch has been made available today to fix this bug. The versions effected are:
“OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug”
The bug allows one heartbeat check to leak 64 kilobytes of memory arbitrarily from any user online. Therefore, multiple heartbeats will eventually allow leaking the entire address space. This will reveal keys to any previous connections, unless FPS is used. This also leaks any private keys the server also holds.
Patch as soon as you possibly can if you are vulnerable, this issue is very serious.”
Philip Lieberman, President of Lieberman Software Corporation:
“This is really serious and a big blow to the credibility of open source. This is very bad, and the consequences are very scary now that it has been disclosed. The fact that this code is on home and commercial Internet-connected devices on a global scale means that the Internet is a different place today.
Network-connected devices often run a basic Web server to let an administrator access online control panels. In many cases, these servers are secured using OpenSSL and their software will need updating. However, this is unlikely to be a priority. The manufacturers of these devices will not release patches for the vast majority of their devices, and consumers will patch an insignificant number of devices.
Cable boxes and home Internet routers are just two of the major classes of devices likely to be affected. ISPs now have millions of these devices with this bug in them.”