This blog post has been updated (4/15/14) to share our advised next steps for Fidelis XPS users. If you are not a Fidelis XPS user but you have questions on what your next steps should be regarding the Heartbleed threat, please leave a comment and our geeks will do their best to help.
Unless you’re hiding under a rock, there’s no doubt you’ve seen all of the panic and flurry surrounding Heartbleed. There are loads of reports and technical details available with a simple search, here are the highlights along with some helpful resources surrounding the issue.
Heartbleed was reported Monday evening as a major vulnerability (CVE-2014-0160) in OpenSSL versions 1.0.1 – 1.0.1f, one that has been around for some time. A patch has been released (OpenSSL 1.0.1g) and you can find more information about that here. OpenSSL is an implementation of the encryption technology Secure Sockets Layer (SSL) or Transport Security Layer (TSL). It implements basic cryptography functions and utilities whose main job is to keep communications between a web browser and server secure. There are other applications that also utilize the technology such as any that would need to encrypt the data they send back and forth.
The gory details surrounding the bug show an attacker has the ability to read the private memory of the remote system in 64kb chunks. Without having any credentials the attacker could gain access to privileged data such as certificates, usernames, and passwords just to name a few. This data could be leveraged for larger future attacks. To make matters worse, the attacker can do all this and go undetected in logs. We may never know the full impact of Heartbleed. This isn’t going to be an easy fix. While a patch does exist, vulnerable systems will have to regenerate key data such as: encryption keys, usernames, and passwords. Only then can trust be restored in future use of the sites’ services.
How does this affect you?
For the average user, unfortunately there isn’t a whole lot you can do. Once a vulnerable site has been updated, password changes will be necessary.
For those who utilize one of the vulnerable versions of OpenSSL, there are websites and scripts available to test for the vulnerability in your servers alongside checking your version number. A good description of the vulnerability is available here.
There are a lot of factors to consider for the affected server to include (summarized from heartbleed.com):
- Patching any vulnerable systems to OpenSSL 1.0.1g
- Revoking old key pairs
- Changing ALL passwords
- Invalidating all session keys and cookies
- Evaluating any content that was handled by vulnerable servers and taking action accordingly
- Evaluating any additional information that could have been leaked such as memory addresses and other private security measures.
For more technical details on Heartbleed, check out the Q&A.
Next Steps for Fidelis XPS Users
Last week, a patch was issued to Fidelis XPS users, along with a new policy that provides detection of (a) attempted exploitation of the vulnerability involving malformed heartbeat requests (b) successful exploitation i.e. the return of data in TLS heartbeat responses. The use of these rules allows enterprises to quickly detect exploit attempts, as well as systems that continue to be vulnerable and are clearly responding with data, presumably retrieved from system memory.
Fidelis customers are advised to update to the latest version of Fidelis XPS and follow instructions to reset private keys where applicable. Further, they should apply the patch and corresponding rules that allow for detection of exploits related to this vulnerability.