10 April 2014

A serious flaw in OpenSSL was announced on 7th April 2014  (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160).  OpenSSL implements the Secure Sockets Layer and Transport Layer Security protocols and is widely used to implement security and privacy in web servers.  Applications that use this toolkit include:

  • Apache web server
  • Virtual private networks
  • Email servers
  • Anonymising tools (e.g.Tor)

There are a lot of alarms being generated these days and it is normally Redscan’s policy to deal with them leaving our customers to focus on their business.  However, this one is serious and two immediate actions are recommended:

  • Organisations who have connected to services (such as third-party web sites) should insure such services have not leaked sensitive information to an attacker;
  • Any web-facing services for which an organisation is responsible should be audited to determine if they are vulnerable.

An unfortunate aspect of this vulnerability is the stealthy nature of the attack which means there are few signs that an organisation has been compromised making investigation more difficult.

Some Details of the Vulnerability

The vulnerability exists in versions 1.0.1 to 1.0.1f inclusive.  This flaw allows an attacker to remotely force the disclosure of potentially sensitive information.  As a result, passwords, private keys and so on may be visible to an attacker.  One important point to highlight is that the vulnerability is a result of a flaw in the implementation, not a flaw in the protocol and a solution for it has been released. The vulnerability has been named Heartbleed because it exploits a flaw in the implementation of the heartbeat mechanism.

Redscan’s Platform is NOT Affected by OpenSSL issue Heartbleed

No software used by Redscan in the delivery of our managed services is vulnerable to this attack. However, if an organisation is providing any services that uses the vulnerable versions of OpenSSL, they should be upgraded immediately to OpenSSL 1.0.1g.  This solution was released on 7 April 2014. It is also advisable to consider re-issuing the keys and passwords used by these services.  Any session cookies in use should be invalidated. If further information is required, please contact our SOC (https://support.redscan.com)

back to all posts