OpenSSL TLS heartbeat' Extension Information Disclosure Vulnerability'

ITS Advisory Number: 
2014-029b
Date(s) Issued: 
Tuesday, April 8, 2014
Date Updated: 
Thursday, April 10, 2014
Subject: 
OpenSSL TLS heartbeat' Extension Information Disclosure Vulnerability'
Overview: 

A vulnerability has been discovered in OpenSSLs implementation of the TLS 'heartbeat' extension that could allow for the disclosure of sensitive information.ÿOpenSSL is an open-source implementation of the SSL protocol used by a number of other projects. SSL (Secure Sockets Layer) is a protocol that ensures secure communication over the Internet via encryption.ÿThis issue could allow an attacker to compromise the private key and other sensitive data stored in memory. ÿSoftware products known to be using OpenSSL are the open source web servers Apache and nginx.

APRIL 10, 2014 - UPDATED OVERVIEW:
There has been a large increase in scanning activity for this vulnerability. There are also reports that this vulnerability is currently beingÿsuccessfullyÿexploited for obtaining sensitive data from vulnerable servers.

'
Systems Affected: 
  • OpenSSL versions 1.0.1 to 1.0.1fÿÿ
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

ORIGINAL DESCRIPTION:
An information disclosure vulnerability has been discovered in OpenSSLs implementation of the TLS 'heartbeat' extension that could allow forÿan attacker to obtain sensitiveÿinformationÿresiding in memory. This issue occurs because OpenSSL fails to conduct proper bounds checks when handling TLS 'heartbeat' packets. Up to 64KB of memory from either the client or the server can be recovered by an attacker and could allow an attacker to compromise the private key and other sensitive data in memory.ÿSoftware products known to be using OpenSSL are the open source web servers Apache and nginx. It is also known to be used on various platforms including Linux and Mac OS X.

More information about this threat as well as a web-based testing tool is available at: http://heartbleed.com

APRIL 10, 2014 - UPDATED OVERVIEW:
There has been a large increase in scanning activity for this vulnerability. There are also reports that this vulnerability is currently beingÿsuccessfullyÿexploited for obtaining sensitive data from vulnerable servers.

'
Actions: 
  • Update vulnerable OpenSSL products immediately after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Immediately Revoke and Replace certificates on allÿpublicÿÿsites that use OpenSSL/TLS.
  • Recommend users change their passwords on sitesÿthat are/were using OpenSSL/TLS giving priority to high value accounts.ÿ
References: 
OpenSSL:
https://www.openssl.org/news/secadv_20140407.txt
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
SecurityFocus:
http://www.securityfocus.com/bid/66690
Heartbleed:
http://heartbleed.com