On a daily basis users rely on encryption to
protect their sensitive data. A vulnerability in
the way encryption is handled may result in the
unauthorized disclosure of IDs, passwords,
credit card data, session cookies, and other
sensitive information. Versions of OpenSSL, a
library of publically available software, have a
handling bug in the implementation of the TLS
Heartbeat Extension that could be used to reveal
up to 64KB of memory. 64KB may not sound like
much, but an attacker can repeatedly use the bug
to collect additional information. The 64KB area
of memory is known as the heap and is positioned
near the bottom of memory. Information available
to an attacker will depend upon what was stored
in the memory at a specific point in time.
By reading the memory, an attacker can gain
access to sensitive information as well as a
server's private key, the key used to encrypt
and protect information. With the server's
private key, an attacker can break the
encryption of earlier communications to read
what was thought to be protected information. By
reading sensitive information, an attacker can
leverage the information to implement man-in-the
middle attacks and hijack the identity of users.
Unless new keys are generated, an attacker
could intercept and read traffic even after the
Heartbleed OpenSSL vulnerability has been
patched.
Altius IT recommends organizations take the
following steps to address this vulnerability:
- Update. Contact vendors to determine
if their software or product is vulnerable.
If so, identify when a fix, patch, or
upgrade will be available. Backup your
system or device. Apply the patch using
vendor supplied instructions. Follow formal
patch and change management procedures,
testing the updates in a non-production
environment before rolling out to production
systems.
- New keys. Follow vendor recommended
steps to generate a new certificate and key.
This ensures that old private keys that have
been compromised can't be used to read
encrypted information. Revoke your old key
and certificate so that they cannot be used.
- Restart. Follow vendor instructions
and restart the system or device.
- Test. Test to ensure the vulnerability
has been properly addressed.
- Passwords. Notify computer system
users (customers, staff, suppliers, etc.)
that they should change their passwords.
Network security audits help organizations
identify, manage, and reduce their risks. Formal
and documented
policies ensure a top down approach to
managing encryption and network security risks.
Security Blog menu
Tags: heartbleed | openssl | memory bug |
vulnerability
|