Heartbleed Advisory & FAQ
Please find below a quick FAQ on the Heartbleed vulnerability and what you can to address it:
UPDATE June 5, 2014: 7 New bugs fixed in OpenSSL
Q. What is the Heartbleed vulnerability and what is its impact?
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This includes pretty much all Apache web servers as well as numerous security devices such as SSL VPNs, load balancers, etc. So even if your web servers are on IIS, you might still be vulnerable due to other infrastructure that includes OpenSSL implementations. At risk is the SSL certificate’s private key and other in-memory secrets/passwords of the affected server. For example, a user’s username and password when logging in to Yahoo! (which is indeed vulnerable right now and so is NASA).
Q. How do I know if I am impacted?
Almost all vulnerability scanners have updated their plugins to check for this issue. Scan all your public facing IP addresses that expose an HTTPS service (websites, SSL VPNs, remote logins, etc.) using the latest updated vulnerability scanner such as Nessus or Qualys. Alternatively, you may use the proof of concept here ssltest.py (http://pastebin.com/WmxzjkXJ)
Or check your site immediately using this: http://filippo.io/Heartbleed/
Q. What should I do to fix the affected systems?
- All vendors are releasing patches. Contact your load balancer, VPN, network device, or server vendor for the fix.
- If a third-party manages your servers, get them to confirm their actions immediately.
- Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
Q. If I can’t patch immediately what should I do?
All Web Application Firewalls and Intrusion Prevention Systems have released signatures for this issue. Update your signatures immediately and ensure those are in Block mode. There is an impact to blocking the heartbeat requests of TLS, but that is a performance impact you may be willing to take given the risk exposure that exists until you apply the patch.
Q. How do I know if I have already been compromised?
The vulnerability leaves no trace of exploitation and if you have even a slight clue of having been compromised, do the following:
- Patch your systems immediately
- Change your SSL certificate
- Issue a warning to all customers and ask them to change their passwords immediately
- Change all system passwords on the affected server, as the vulnerability also compromises in-memory passwords
Q. How do I get more information?
Use the following links for more information:
- The main site with this information http://heartbleed.com/
- Wikipedia article on the same http://en.wikipedia.org/wiki/
Heartbleed_bug - Vulnerability may have been exploited months before patch http://arstechnica.com/
security/2014/04/heartbleed- vulnerability-may-have-been- exploited-months-before-patch/ - CERT FI advisory on this https://www.cert.fi/en/
reports/2014/ vulnerability788210.html - An excellent FAQ http://www.troyhunt.com/2014/
04/everything-you-need-to- know-about.html - Open SSL advisory on this https://www.openssl.org/news/
secadv_20140407.txt - List of popular websites affected http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
Q. Where do I find vendor-specific advisories/updates?
- OpenSSL http://www.openssl.org/news/secadv_20140407.txt
- RedHat https://access.redhat.com/security/cve/CVE-2014-0160
- UBUNTU http://www.ubuntu.com/usn/usn-2165-1/
- Cisco http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
- CheckPoint https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100173
- Novell http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623
- Fortiguard http://www.fortiguard.com/advisory/FG-IR-14-011/
- ArubaNetwork http://www.arubanetworks.com/support/alerts/aid-040814.asc
- Google http://googleonlinesecurity.blogspot.in/2014/04/google-services-updated-to-address.html
- IBM https://www-304.ibm.com/connections/blogs/PSIRT/entry/openssl_heartbleed_cve_2014_0160?lang=en_gb
- Debian http://www.debian.org/security/2014/dsa-2896
- Slackware http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.533622
- VMware http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225
- Oracle http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html
- Google http://googleonlinesecurity.blogspot.in/2014/04/google-services-updated-to-address.html
- Siemens http://www.siemens.com/innovation/en/technology-focus/siemens-cert/cert-security-advisories.htm
- WordPress https://en.blog.wordpress.com/2014/04/15/security-update/
- BlackBerry Click Here
If you are an NII customer, feel free to reach out to your designated NII team for more information