DBSA:2014-0007

From Digibase Knowledge Base
Jump to: navigation, search

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - OpenSSL "Heartbleed" Vulnerability - End Users

Keywords: SSL, TLS, Vulnerability, Data Exposure, HTTPS, OpenSSL

DBSA ID: 2014-0007

Regarding: OpenSSL "Heartbleed" Vulnerability - End Users

Writeup: Kradorex Xeron (talk) 09:41, 11 April 2014 (EDT)

Date: 2014 04 11

Last Modified: 20140411100709 by Gung-ho Gun

Who should take note: Anyone and Everyone

Classification

Priority: HIGH

Rationale: Information could have been compromised by third parties, immediate attention is required.

Severity: HIGH

Rationale: Information disclosed may be utilized and leveraged to compromise user accounts across multiple sites.

Spread of Issue: MULTI-PLATFORM HIGH

Rationale: Affects all users of secure websites given the wide deployment of OpenSSL.

Description

OpenSSL is a popular program and library set used to deploy the Secure Sockets Layer and Transport Security Layer protocols. Recently there was a vulnerability in the 1.0.1 version series server implementation of OpenSSL whereas a client could utilize the "Heartbeat" mechanism used to keep connections alive to read server memory by requesting a longer resource than was input, thus causing the server to read back the requested length of data, leading to data unrelated to that connection being disclosed. This disclosure can include anything from private encryption keys to usernames and passwords transmitted over encrypted means.

Mitigation/Solution

Users are advised to utilize the detection tool as listed in the references section to determine if the site they use is patched. If the site is patched the results will display a green bar behind the Heartbeat/Heartbleed entry. Upon receipt of that, a user may go ahead and change their passwords and/or security questions on the specific sites.

Users are further advised not to accept disclaimers as sufficient from website services unless that disclaimer explicitly states that the site utilized an unaffected library or software. If further information is needed to make this determination, please contact the website administrator. If a determination cannot be made do not accept the statement and implement changes to any passwords and/or security questions.

References