RedShield Advisory regarding "Heartbleed" OpenSSL Vulnerability CVE-2014-0160
Difficulty of Exploitation:
The Heartbleed vulnerability in OpenSSL allows system memory to be read remotely by attackers. This memory may include SSL certificate private key material, session IDs, passwords etc
All RedShield customer assets have been tested for this vulnerability, and all affected customers have been notified of this issue. If you have additional assets not scanned by RedShield or would like to manually retest please use the link below. For questions contact firstname.lastname@example.org.
The Heartbleed vulnerability in OpenSSL allows SSL certificate private key material to be compromised remotely by attackers.
1. SSL connections could be vulnerable to man in the middle attacks
2. There is a potential loss of confidentiality of the data flowing across SSL connections (for example, usernames and passwords for HTTPS websites, sensitive data flowing over VPNs, encrypted email servers)
OpenSSL Vulnerable Versions
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
The vulnerability was introduced to OpenSSL in December 2011
It has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
Recommended steps on servers running vulnerable versions of OpenSSL
- Re-isssue SSL certificates and install new certs and keys onto patched servers
- Reset any user account passwords on services using SSL to encrypt the communication
- Client side software that uses a vulnerable version of OpenSSL are also vulnerable to this attack and should be patched asap.
- Browsers must be set to use Certificate Revocation Lists and not accept revoked certificates.
Recommendations for RedShield Cloud customers
RedShield Cloud SSL stack is not vulnerable to this issue; however customers should follow the recommendations above if the origin web server is vulnerable to this attack. Servers should also be locked down at the firewall to only accept traffic from RedShield Cloud, as outlined here:
For Urgent Remediation of Vulnerable Systems:
RedShield Cloud may be deployed to provide remediation for any systems which cannot be patched, or require additional time. Please contact email@example.com
Further information on this vulnerability:
For more information see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160