Heartbleed: Secure your OpenSSL based systems immediately

Announcements 9 Apr 2014

The internet is abuzz with serious OpenSSL's Heartbleed vulnerability discovered 2 days ago. This vulnerability allows an attacker to steal information normally protected by SSL. This information may include everything from usernames, passwords, emails, chats, voice and video communications, banking transactions and so on.

The vulnerability exists in heartbeat extension of OpenSSL (RFC6520) and allows an attacker to leak the memory in up to 64k chunks. This does not imply that the data being leaked is limited to 64k though, as the attacker can continually abuse this vulnerability to leak additional data until they collect the information they are looking for.

While most news coverage so far gives the impression that the only services affected are web applications, the fact is that any software which uses vulnerable OpenSSL is a potential attack target. This includes routers, switches, computer to computer SSL communication, and even desktop/mobile applications which use vulnerable OpenSSL libraries.

The affected OpenSSL versions are:

• 1.0.1
• 1.0.1a
• 1.0.1b
• 1.0.1c
• 1.0.1d
• 1.0.1e
• 1.0.1f

This is major vulnerability in that there is no trace left on compromised systems. It is also difficult to recover from this, as it involves following steps, and even then there is no way to secure the already leaked information.

1. Upgrade to patched version of OpenSSL, 1.0.1g. (Note that some vendors have patched existing versions instead of requiring upgrade to a later version)
2. Regenerate keys and certificates (e.g. those used by Apache)
3. Restart the services
4. Change passwords, and ask all your users to do so.

We urge everyone to immediately follow the above steps to put the SSL trust back into your systems.

iKNOX has already helped to secure all systems of its clients. If you need external help, feel free to reach out to us.

 

<< Back to News