DBSA:2014-0008
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - OpenSSL "Heartbleed" Vulnerability - Server Administrators
Keywords: SSL, TLS, Vulnerability, Data Exposure, HTTPS, OpenSSL
DBSA ID: 2014-0008
Regarding: OpenSSL "Heartbleed" Vulnerability - Server Administrators
Writeup: Kradorex Xeron (talk) 10:05, 11 April 2014 (EDT)
Date: 2014 04 11
Last Modified: 20140411100539 by Kradorex Xeron
Who should take note: Server Administrators
Classification
Priority: HIGH
Rationale: Information could have been compromised by third parties, immediate attention is required.
Severity: HIGH
Rationale: Information disclosed may be utilized and leveraged to compromise user accounts across multiple sites.
Spread of Issue: MULTI-PLATFORM HIGH
Rationale: Affects multiple server platforms given the deployment of OpenSSL.
Description
OpenSSL is a popular program and library set used to deploy the Secure Sockets Layer and Transport Security Layer protocols. Recently there was a vulnerability in the 1.0.1 version series server implementation of OpenSSL whereas a client could utilize the "Heartbeat" mechanism used to keep connections alive to read server memory by requesting a longer resource than was input, thus causing the server to read back the requested length of data, leading to data unrelated to that connection being disclosed. This disclosure can include anything from private encryption keys to usernames and passwords transmitted over encrypted means.
This issue includes any front-end load balancers, proxies, routers, VPN termination systems or like systems that utilize OpenSSL to encrypt user connections.
Servers utilizing 1.0.0 and prior do not implement the Heartbeat mechanism and therefore not effected.
Mitigation/Solution
Server and System Administrators effected are advised to update OpenSSL to version 1.0.1g immediately if they are utilizing a 1.0.1 series version and then fully regenerate their certificate chain. Regenerating certificates alone is insufficient, it is required that administrators also re-key their certificates with a different key, generating a new signing request in the process. It is also advised that administrators consult their certificate authority to determine if there is an ability to have this new signing request signed without the normal fees given the gravity of this situation.
Once the aforementioned is completed, server administrators should release a statement to their users requesting any information such as passwords or secrets like secret questions be changed in full.
If a server is not effected, a server administrator should release a statement explicitly stating that the platform does not utilize the effected software or libraries so that users may be aware.
If a server or device cannot be updated due to lack of access, it is advised to contact the vendor or supplier for a software update immediately.
Server Administrators may utilize the detection tool noted to test their server if it is Internet-connected.