Websense® Security Labs™ has been tracking news of a vulnerability in the implementation of OpenSSL which has far-reaching implications for it's users and those impacted by it's use.
The vulnerability, CVE-2014-0160, allows a remote attacker to read the memory of systems protected by vulnerable versions of OpenSSL. Data that may be stolen includes certificates, private keys, Personally Identifiable Information (PII) and any other sensitive data.
For those not familiar with OpenSSL it is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. It is deployed in many scenarios such as within email servers and VPN systems, and can be embedded within operating systems. Any such system using the vulnerable version of OpenSSL is thus vulnerable to exploitation.
The vulnerability exists in OpenSSL v1.0.1 through v1.0.1f (also v1.0.2-beta1). Please refer to http://www.openssl.org/news/vulnerabilities.html for detailed information.
Please note: an updated (fixed) version of OpenSSL is now available in v1.0.1g
Confirmation of this can be found on https://www.openssl.org/news/secadv_20140407.txt (in anticipation of the openssl website being under heavy load, we have provided a screenshot of their advice below):
We strongly recommend that you establish whether vulnerable instances of OpenSSL are used in your environment, and if so, you should upgrade OpenSSL, or the software that uses OpenSSL, immediately.
Codenomicon, recognised as one of the discovering parties, have provided detail on this vulnerability as well as other mitigation actions that you should consider, which include:
- Recompile your existing OpenSSL version with -DOPENSSL_NO_HEARTBEATS option (to disable the vulnerable component).
- Revoke and reissue all certificates from the past 2 years (since the bug has been in existence).
- Generate new private keys.
- Invalidate all session keys and cookies.
- Any end users who suspect that they may have interacted with a web server that is, or was, vulnerable to this flaw should consider resetting their passwords.
It is understood that web server logs will not show whether the vulnerability has been used, thus making an attack difficult to detect from that perspective.
Our ThreatSeeker® Intelligence Cloud has identified that numerous Proof Of Concept tools have been launched online that can be used to show whether a particular website is vulnerable to CVE-2014-0160. We have seen reports to suggest that upwards of 600 of the Top 10,000 websites (as ranked by Alexa) are still vulnerable.
Websense Security Labs will continue to monitor the impact of this vulnerability.