Heartbleed Bug

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

A great resource for more on Heartbleed is the SANS DFIR page and specifically some posts from Jake Williams (@malwarejake) who has really been on the pulse of this. His slide deck from some recent SANS webcasts can be downloaded here – http://bit.ly/1hvuvZB. The full posting which has some other great notes, can be viewed here – http://digital-forensics.sans.org/blog/2014/04/10/heartbleed-links-simulcast-etc/

Also, if you would like to check to see if your web server may be vulnerable, there are a number of sites out there to validate your site including the Qualys SSL Test site at https://www.ssllabs.com/ssltest/ although personally, if my site ends up being vulnerable, I would rather not have someone adding it to a list somewhere. So I recommend if you have Nessus to do the plugin updates to obtain the Heartbleed plugin (works quite well), Mestasploit has a new scanner (https://community.rapid7.com/community/metasploit/blog/2014/04/09/metasploits-heartbleed-scanner-module-cve-2014-0160) and there are all kinds of scripts out there as well.

One last though, please be sure to check your hardware vendors as many of them have claimed to be vulnerable. SANS also has a good list on the page mentioned earlier. Also, ensure any of your third party vendors (i.e. payroll providers, health insurance providers, cloud providers, etc.) – anyone who may have a portal that may be vulnerable. Most should have put out a statement by now.

Leave a reply