ControlScan advises its customers and clients with eCommerce websites, or those which handle sensitive data, that a critical vulnerability has been discovered affecting the OpenSSL 1.0.1 and 1.0.2-beta implementation of the SSL protocol. The vulnerability is known as ‘Heartbleed,’ and should be seen as an immediate concern for any organization relying on OpenSSL to secure data in transit. Note that this vulnerability does not affect versions older than those described above and was introduced within 1.0.1.
The vulnerability allows remote, unauthenticated attackers to obtain data from an affected host’s system memory in chunks. Data disclosed using this method may include application content, such as SQL queries; web requests, such as those containing session IDs or card numbers; SSL server private keys, or any other data currently residing in the system’s running memory. Disclosure of an SSL-enabled site’s private key may allow malicious attackers to masquerade as the site through Man-in-the-Middle attacks and decrypt any data sent to the false website. ControlScan’s security researchers have successfully tested a proof-of-concept and can confirm that such attacks are possible against affected systems.
Note that even if a system is patched, it may be possible that the private SSL key validating the server’s identity has already been disclosed, rendering the server’s integrity invalid from that point forward. As a result, ControlScan recommends that customers consider any affected system as having already been compromised.
Customers are advised to immediately update any instances of the affected versions of OpenSSL to the latest available version. Many platforms – such as Debian, Ubuntu, and Redhat – have already made updated packages available to users. ControlScan recommends contacting your service provider or vendor to understand whether your system has had the potential to be affected.
ControlScan recommends the following remediation steps if you have determined that your system meets the affected criteria:
- Immediately upgrade to the latest available version of OpenSSL
- Revoke any SSL certificates used on the affected server
- Generate and sign new SSL keys to replace the compromised keys
- Consider a near-term strategy for updating passwords, SSH keys, and any other sensitive authentication data on affected systems
Note that new SSL certificates should not be installed until OpenSSL has been updated, since they would also possibly be compromised. Please also ensure that you restart any services relying on OpenSSL after patching. Additional information is available at the following resources:
Additionally, check with your vendor for updates to appliances, hosted implementations, and cloud-based services.
If you have any questions or would like to speak with a security consultant, please contact firstname.lastname@example.org. We’re here to help.