Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

OpenSSL is an open source project which

advertisement 
CERT Australia
OpenSSL heartbeat vulnerability Heartbleed
Abstract
Researchers from Google security and Codenomicon have
recently discovered a vulnerability in OpenSSL’s Transport
Layer Security (TLS) and Datagram Transport Layer Security
(DTLS) protocols. Details of this vulnerability were publicly
released on 8 April 2014 and numerous proof of concept
code samples for exploiting the vulnerability followed.
An attacker could exploit this vulnerability to compromise the
confidentiality of the affected system by obtaining a variety of
information including but not limited to primary keys and
usernames and credentials.
This publication is provided for situational awareness and to
allow consideration of proper mitigations including updating
the software.
This document remains the property of the Australian Government. The information contained in this document is for the
use of the intended recipient only and may contain confidential or privileged information. If this document has been received
in error, that error does not constitute a waiver of any confidentiality, privilege or copyright in respect of this document or the
information it contains. This document and the information contained herein cannot be disclosed, disseminated or
reproduced in any manner whatsoever without prior written permission from the Assistant Secretary, CERT Australia,
Attorney-General's Department, 3 - 5 National Circuit, Barton ACT 2600.
The material and information in this document is general information only and is not intended to be advice. The material and
information is not adapted to any particular person’s circumstances and therefore cannot be relied upon to be of assistance
in any particular case. You should base any action you take exclusively on your own methodologies, assessments and
judgement, after seeking specific advice from such relevant experts and advisers as you consider necessary or desirable.
To the extent permitted by law, the Australian Government has no liability to you in respect of damage that you
might suffer that is directly or indirectly related to this document, no matter how arising (including as a result of
negligence).
Background
OpenSSL is an open source project which provides a Secure Socket Layer (SSL) V2/V3
and Transport Layer Security (TLS) V1 implementation along with a general purpose
cryptographic library. It is widely deployed and utilised.
Details
Researchers from Google security and Codenomicon have recently discovered a
vulnerability in OpenSSL’s Transport Layer Security (TLS) and Datagram Transport Layer
Security (DTLS) protocols. Details of this vulnerability were publicly released on 8 April
2014 and numerous proof of concept code samples for exploiting the vulnerability
followed. The range of services which may be impacted by proof of concept code is also
increasing. The vulnerability lies in the implementation of the Heartbeat extension
(RFC6520)[1] known as ‘Heartbleed’. By sending specially crafted heartbeat requests a
malicious actor can obtain up to 64KB segments stored in memory on the affected device.
While each request is limited to 64KB it is possible to use repeated requests to retrieve
more 64KB segments.
The versions of OpenSSL affected are 1.0.1 up to 1.0.1f and 1.0.2-beta1 and the
vulnerability has been assigned CVE-2014-0160[2]. OpenSSL have released version
1.0.1g which addresses this vulnerability.
Proof of concept code exists which can exploit this vulnerability from a malicious client.
Proof of concept code also exists where a malicious server can exploit this vulnerability
against a vulnerable client. Compromised hosts may show little or no evidence in logs of
compromise. Signatures have been released for multiple IDS/IPS systems which may
identify Heartbleed traffic.
A wide range of services and appliances could potentially use the vulnerable OpenSSL
version. This vulnerability is not limited to web servers or https services. For example,
proof of concept code exists for StartTLS (used to protect email server communications).
Lists of vulnerable products are available such as [3, 4]. These should not be considered
to be comprehensive and users should liaise with their vendors to ensure that they are
aware of impact to deployed products. The range of products that could potentially be
affected includes network appliances and other infrastructure equipment.
When assessing the potential impact of this event, users need to consider their own
circumstances. SSL/TLS termination points will have an effect on the potential information
which may have been or could be exposed as a result of this vulnerability. This will also
impact on what external stakeholders might be impacted and users will need to carefully
consider what they may need to communicate to external parties.
While there is presently no reliable indicator of compromise signatures of potential attack
traffic are emerging. Where users have historic network traffic captures available they may
wish to consider the use of available signatures to process historic traffic. This may give
some indication of previous compromise.
The situation regarding this vulnerability is very fluid with its exact scope and the products
affected still being assessed. Users are advised to closely monitor vendor information and
be prepared to act to reduce their vulnerability.
Specific recommendations
CERT Australia suggests users consider the following specific mitigations to protect
against this cyber security risk:
 Where possible, users should update OpenSSL to version 1.0.1g as soon as
possible.
 Where an upgrade is not possible, it may be possible to instead recompile
OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag. Any software that uses
OpenSSL would also need to be restarted.
 For web services, users could consider the use of a reverse proxy service or
similar service to act as an SSL end point between vulnerable servers and the
internet.
 Once the OpenSSL implementation has been made safe users should consider
generating new keys, obtaining new certificates and revoking previous certificates
and keys.
 Passwords used to access the affected service should be reset only after previous
steps have been completed.
 Cached cookies and session identifiers should be purged from browsers.
 It may not be immediately clear whether a particular system uses a vulnerable
version of the software and users should review systems to obtain visibility on the
use of OpenSSL as a third party component in other systems.
 Many vendors are moving to patch vulnerable systems. Users should liaise with
vendors to apply patches where available.
 Detection signatures are becoming available for IDS/IPS systems. Users check
with their particular vendor and should consider use of these where possible.
General recommendations
CERT Australia suggests users consider the following general mitigations to protect
against this and other cyber security risks:
 Take measures to minimise network exposure for all control system devices.
Critical devices should not be directly exposed to the internet. Locate control
system networks and remote devices behind firewalls and isolate them from the
business network.
 When remote access is required, use secure methods such as Virtual Private
Networks (VPNs) with two factor authentication.
 Monitor intrusion detection and/or prevention systems, user logs and server logs
for suspicious behaviour.
 Use defence-in-depth methods in system design to restrict and control access to
individual products and control networks.
 Use application white-listing to only allow specifically authorised applications to
operate on networks. This mitigation helps prevent malicious software or
unauthorised applications from executing.
 Ensure applications and operating systems are kept up-to-date with the latest
software patches.
 Ensure users are restricted from, or are administratively prohibited from installing
unauthorised software and browsing the internet with administrator privileges.
 Remove, disable, or rename any default system accounts wherever possible.
 Implement account lockout policies to reduce the risk from brute forcing attempts.
 Enforce strong passphrase policies to reduce the risk from brute forcing attempts.
 Monitor the creation of administrator level accounts by third-party vendors.
 Ensure computer systems are running antivirus software with the latest antivirus
signatures.
 For other mitigation please refer to the “Strategies to mitigate targeted electronic
intrusions” publication. [5]
Links
[1] http://www.rfc-editor.org/rfc/rfc6520.txt
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
[3] http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=7209
51&SearchOrder=4
[4] https://www.cert.fi/en/reports/2014/vulnerability788210.html
[5] https://www.cert.gov.au/faq
Feedback
CERT Australia (the CERT) welcomes any feedback you may have with regard to this publication
and/or the services we provide – info@cert.gov.au or 1300 172 499.
Note: information sent to the above email address will be in the clear and not secure. Secure
communication channels for sensitive information are available on request.
Report an incident
Reporting cyber incidents allows us to form a more accurate view of cyber security threats and
make sure that businesses receive the right help and advice. All information provided to us is held
in the strictest confidence. Secure communication channels for sensitive information are available
on request.
Business partners who suspect they have been the victim of cyber crime are encouraged to report
it to the Australian Federal Police. Cyber crime involves the unauthorised access to or impairment
of computer systems and is likely to constitute an offence under the Commonwealth’s Criminal
Code Act 1995 and/or state and territory criminal laws.
About us
The CERT is the national computer emergency response team. We are the single point of contact
for cyber security issues affecting major Australian businesses.
The CERT is part of the Federal Attorney-General’s Department, with offices in Canberra and
Brisbane. We also work in the Cyber Security Operations Centre, sharing information and working
closely with the Australian Security Intelligence Organisation (ASIO), the Australian Federal Police
(AFP) and the Australian Signals Directorate (ASD). In addition, we work closely and share
information with our international counterparts.
This means we are very well connected and informed, so we are best placed to help businesses
protect themselves from cyber attacks.
Traffic Light Protocol (TLP)
Related documents
Need for New Approaches to Security PowerPoint
Need for New Approaches to Security PowerPoint
信息安全概述(An Overview of Information Security)
信息安全概述(An Overview of Information Security)
Heartbleed – What is it?
Heartbleed – What is it?
Digital vulnerabilitz atlas of South Asia [PPT, 2.05
Digital vulnerabilitz atlas of South Asia [PPT, 2.05
Sustainable Urban Development in the Pacific
Sustainable Urban Development in the Pacific
Presentation_with_acharya_dst_sept_14_2010 - GISE
Presentation_with_acharya_dst_sept_14_2010 - GISE
Quarter 4 / Lesson 1
Quarter 4 / Lesson 1
Customer Vulnerability
Customer Vulnerability
How we raised awareness on information security in Slovenia
How we raised awareness on information security in Slovenia
Presentation here
Presentation here
Final Paper
Final Paper
Who found the Heartbleed Bug?
Who found the Heartbleed Bug?
CIT 480: Securing Computer Systems Lab #1: Cryptography
CIT 480: Securing Computer Systems Lab #1: Cryptography
Download
advertisement