OpenSSL TLS heartbeat' Extension Information Disclosure Vulnerability'

ITS Advisory Number: 
2014-029
Date(s) Issued: 
Tuesday, April 8, 2014
Subject: 
OpenSSL TLS heartbeat' Extension Information Disclosure Vulnerability'
Overview: 

A vulnerability has been discovered in OpenSSL’s implementation of the TLS ‘heartbeat’ extension that could allow for the disclosure of sensitive information. OpenSSL is an open-source implementation of the SSL protocol used by a number of other projects. SSL (Secure Sockets Layer) is a protocol that ensures secure communication over the Internet via encryption. This issue could allow an attacker to compromise the private key and other sensitive data stored in memory.  Software products known to be using OpenSSL are the open source web servers Apache and nginx.

Systems Affected: 
  • OpenSSL versions 1.0.1 to 1.0.1f
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

An information disclosure vulnerability has been discovered in OpenSSL’s implementation of the TLS ‘heartbeat’ extension that could allow for an attacker to obtain sensitive information residing in memory. This issue occurs because OpenSSL fails to conduct proper bounds checks when handling TLS ‘heartbeat’ packets. Up to 64KB of memory from either the client or the server can be recovered by an attacker and could allow an attacker to compromise the private key and other sensitive data in memory. Software products known to be using OpenSSL are the open source web servers Apache and nginx. It is also known to be used on various platforms including Linux and Mac OS X.

More information about this threat as well as a web-based testing tool is available at: http://heartbleed.com

An information disclosure vulnerability has been discovered in OpenSSL’s implementation of the TLS ‘heartbeat’ extension that could allow for an attacker to obtain sensitive information residing in memory. This issue occurs because OpenSSL fails to conduct proper bounds checks when handling TLS ‘heartbeat’ packets. Up to 64KB of memory from either the client or the server can be recovered by an attacker and could allow an attacker to compromise the private key and other sensitive data in memory. Software products known to be using OpenSSL are the open source web servers Apache and nginx. It is also known to be used on various platforms including Linux and Mac OS X.

More information about this threat as well as a web-based testing tool is available at: http://heartbleed.com

Actions: 
  • Update vulnerable OpenSSL products immediately after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
References: 
OpenSSL:
https://www.openssl.org/news/secadv_20140407.txt
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
SecurityFocus:
http://www.securityfocus.com/bid/66690
Heartbleed:
http://heartbleed.com