“Heartbleed” vulnerability in OpenSSL could lead to data theft
The “Heartbleed” vulnerability in the implementation of OpenSSL, which has far-reaching implications, allows a remote attacker to read the memory of systems protected by vulnerable versions of OpenSSL, observed security expert Carl Leonard, in Websense security blog post.
As stated by the expert, the data that may be stolen includes certificates, private keys, Personally Identifiable Information (PII) and any other sensitive data.
The blog post goes on the explain that for those not familiar with OpenSSL, it is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. It is deployed in many scenarios such as within email servers and VPN systems, and can be embedded within operating systems. Any such system using the vulnerable version of OpenSSL is thus vulnerable to exploitation.
The security expert said Websense strongly recommends that one establish whether vulnerable instances of OpenSSL are used in your environment, and if so, you should upgrade OpenSSL, or the software that uses OpenSSL, immediately.
Codenomicon, recognised as one of the discovering parties, have provided detail on this vulnerability as well as other mitigation actions that you should consider, which include:
Recompile your existing OpenSSL version with -DOPENSSL_NO_HEARTBEATS option (to disable the vulnerable component).
Revoke and reissue all certificates from the past 2 years (since the bug has been in existence).
Generate new private keys.
Invalidate all session keys and cookies.
Any end users who suspect that they may have interacted with a web server that is, or was, vulnerable to this flaw should consider resetting their passwords.
It is understood that web server logs will not show whether the vulnerability has been used, thus making an attack difficult to detect from that perspective.
Websense ThreatSeeker Intelligence Cloud has identified that numerous Proof Of Concept tools have been launched online that can be used to show whether a particular website is vulnerable to CVE-2014-0160. We have seen reports to suggest that upwards of 600 of the Top 10,000 websites (as ranked by Alexa) are still vulnerable.