Friday, September 5, 2014

“Heartbleed” Vulnerability

  • “Heartbleed” is a vulnerability in the OpenSSL(1) protocol that could allow an attacker to expose sensitive data, possibly extracting user authentication credentials and secret keys, through flawed memory handling in the TLS(2)  extension.
Description
OpenSSL contains a flaw in its implementation of a security software protocol. This allows an attacker to retrieve private memory of an application so that it can repeatedly leverage this vulnerability to retrieve as much memory as is necessary to retrieve the intended secrets. The sensitive information that may be retrieved includes primary and secondary material such as secret keys, user names and passwords, and protected content, such as sensitive data as well as collateral data. Exploit code is publicly available for this vulnerability from numerous sources.

Heartbleed is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160. A serious overrun vulnerability in the OpenSSL cryptographic library affects around 17% of SSL web servers which use certificates issued by trusted certificate authorities. This could allow attackers to retrieve private keys and ultimately decrypt the server's encrypted traffic or even impersonate the server.

A most recent SSL Survey found that the heartbeat extension was enabled on 17.5% of SSL sites, accounting for around half a million certificates issued by trusted certificate authorities. These certificates are consequently vulnerable to being spoofed through private key disclosure, allowing an attacker to impersonate the affected websites without raising any browser warnings.

 “Heartbleed” offers an interesting history about its origin. As an open source program it was developed and maintained by part-time unpaid volunteers. It was developed by a student in 2011 and then released in March 2012. The flaw in this open source software was then reported in April 2014, but hundred thousands of web servers still remained vulnerable to compromise after “Heartbleed” was fixed immediately after public discovery.

Executive Guidance
As a first step security certificates should be reissued to make sure that OpenSSL is blocked. Some web sites will have to be patched or disabled until such time when “Heartbleed” is purged or eliminated. Several commercial firms are also offering vulnerability testing services to assure users that the “Heartbleed” software does not remain lodged somewhere in the system.

Several critical components of the Internet have become accepted for widespread utilization based on reliance of the work by volunteer developers working for no pay. Executives should not find such “open source” software acceptable unless there is evidence that thorough screening and reviews by multiple sources has taken place. Software that becomes a part of a firm’s infrastructure can be the cause of much more severe comprehensive damages than code that is embedded into individual applications. Senior executives should therefore insist that the software components used to build and maintain the infrastructure of an enterprise must be controlled with added precautions and resistance to flaws.

(1) OpenSSL (Secure Sockets Layer) is a security technology for establishing an encrypted link between a web ser ver and a browser. This link ensures that all data passed between web servers and browsers remain private. OpenSSL is available as publicly available software and is used by millions of websites in the protection of their online transactions with their customers. See http://info.ssl.com/article.aspx?id=10241.
(2) Transport Layer Security (TLS) is one of the cryptographic protocols designed to provide communication security over the Internet.[See http://en.wikipedia.org/wiki/Transport_Layer_Security.


No comments:

Post a Comment

For comments please e-mail paul@strassmann.com