RandomStorm has warned customers to patch a web server software vulnerability that could be used to expose web user credentials and eavesdrop on communications.
Dubbed “Heartbleed,” the vulnerability compromises encryption between users and web servers using older versions of OpenSSL, allowing system memory to be read by outsiders and exposing user names, passwords, cookies, emails and private business documents. OpenSSL is used by millions of websites worldwide to encrypt sensitive communications such as login details and protect against man in the middle attacks. Online attackers could exploit the Heartbleed bug to view the content of communications between users and web servers, as well as impersonating the web service, or users.
RandomStorm security engineers have lab tested the vulnerability of OpenSSL versions 1.0.1 through to version 1.0.1f and have confirmed that they were able to see passwords from the webserver memory under test.
A patch was released by OpenSSL on 7th April and RandomStorm is urging all of its customers heed the warnings and to update to the latest version: OpenSSL 1.0.1g or newer.
Commenting, Andrew Mason, Technical Director at RandomStorm said, “The Heartbleed vulnerability affects the OpenSSL Version 1.0.1 through 1.0.1f inclusive. Exploitation of these older versions of OpenSSL allows an attacker to read the running memory of the vulnerable host. RandomStorm tests for this vulnerability on all external infrastructure and Web application assessments. We have confirmed that information such as usernames, passwords, cookies and even private SSL keys can be remotely obtained by exploiting this vulnerability in older versions of OpenSSL. We are advising all of our customers to immediately update any servers running OpenSSL to version 1.0.1g or newer. If it is not possible to apply the patch, then OpenSSL should be recompiled with the
-DOPENSSL_NO_HEARTBEATS option.”
Detailed information about this vulnerability is available from http://heartbleed.com/ and https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
RandomStorm provides vulnerability scanning and intrusion detection products and penentration testing services to help companies to improve and continually maintain their security posture. The company is a CESG CHECK security consultancy and certified as a Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV) by the Payment Card Industry Security Standards Council.
About RandomStorm
RandomStorm is a UK-based network security, vulnerability management and compliance company, focused on providing enterprise-level, proactive security management tools and services. RandomStorm’s experienced and certified security experts are able to offer customers a wide range of integrated world-class security vulnerability assessment and professional security services. Covering initial consultancy and gap analysis through to network and application testing, as well as managing client’s business compliance accreditation process, RandomStorm aims to work with organisations to ensure that their security investment is fully optimised on a 24/7/365 basis.
RandomStorm’s core products are supported by a range of complementary monitoring, alerting and remediation tools and services developed under the RandomStorm Open Source Initiative
RandomStorm is a CESG CHECK security consultancy as well as a Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV) for the Payment Card Industry Data Security Standard (PCI DSS). Please visit http://www.randomstorm.com for further information.
