Heartbleed Vulnerability Bug: What You Need to Know

Mike Weber, Vice President, Coalfire Labs

Heartbleed bug - The widely publicized heartbleed bug (http://heartbleed.com/) may be impacting as many as 500,000 systems across the Internet.  Heartbleed is the name of a vulnerability in the OpenSSL program that powers encrypted communication to many of the world's web sites and private networks.

The flaw could result in the exposure of any data resident in the memory that the OpenSSL process can read.  This could include usernames and passwords, server private keys, and sensitive data such as credit card numbers or PHI.  While this is clearly a concern to our clients and their customers, fortunately, the fix is usually a simple patch away.  The majority of vendors have a patch available for this already.

After patching, it’s imperative that you generate a new private key, get a new SSL certificates issued, and revoke your old certificate.  Without this, data transfers are still at risk of being intercepted and decrypted.  Worse, the private key can be used to impersonate your server in transactions with your clients – a man in the middle attack – or with your business partners.

Who is Affected? Any system running OpenSSL versions 1.0.1 through 1.0.1f.  In most instances, the immediate risk is to web-facing https websites.  But keep in mind that all components in your web infrastructure – such as those that terminate SSL connections like load-balancing products or VPN gateways -could also be impacted by this vulnerability.  We recommend evaluating your Internet footprint to ensure you have comprehensively addressed all Internet-facing systems.

In addition, organizations could easily overlook components in their infrastructure that have the OpenSSL library built into other solutions.  For example, Cisco IP phones and vmware ESXi are vulnerable as they have packaged OpenSSL into their solutions.  While most organizations will prioritize Internet-facing systems for obvious reasons, vulnerable internal systems have the potential to expose user credentials – which can include administrator-level passwords.  It’s imperative that organizations review their inventory in detail to ensure all systems have been addressed.

Are there any Workarounds? If you can’t patch for some reason, you can recompile your vulnerable OpenSSL with the –DOPENSSL_NO_HEARTBEATS.  If you want to know what your compile options and flags were the first time around, you can see them with ‘openssl version -a’.  To recompile, just use the previous options, and add the option mentioned above.

If you can’t recompile, then you can always implement a firewall rule.  Using the u32 iptables module, the following will drop all SSL heartbeat requests inbound on port 443.
iptables -t filter -A INPUT  -p tcp --dport 443  -m u32 --u32 \ "52=0x18030000:0x1803FFFF" -j DROP
To protect other SSL enabled services, simply change the port from 443 to whatever port the service is responding to.  And if you’re curious, you can add an entry immediately before it with the -j LOG action to see how frequently you’re being attacked.
How do we know we’ve got everything? Coalfire customers who subscribe to our Navis vulnerability scanning service now have a check available to identify systems that have this bug. Please contact your scan desk support representative to confirm you are scanning all systems that could be vulnerable to heartbleed.

Additionally there are several sites on the internet that have been set up to test sites over the Internet.  For these sites you need to provide your host name or IP, and some ask for the port.  This requires you to know exactly where you have OpenSSL running and on what port it’s on.  Coalfire can’t vouch that they’re 100% accurate, of course, but we’ve seen some consistent results on:

How Coalfire can help!  Not sure you know where every instance of SSL is running in your environment, let alone OpenSSL?  Coalfire can provide a discovery scan of your IP address space to identify each and every service that is protected with OpenSSL and test each service for this vulnerability.  This will identify systems that are answering to SSL requests on non-standard ports which many embedded solutions, appliances, and management consoles tend to do.  Our scans can be performed over the Internet and/or on your Internal network.

Complete a brief form to be contacted about pricing and the service or call us at 1-877-224-8077 for details.


Mike Weber


Mike Weber — Vice President, Coalfire Labs

Recent Posts

Post Topics