Unearthing Haemorrhages
To date much effort has been focused on remediating common sources of Heartbleed, without taking into account that the vulnerability affects more than just common ports (such as 443 for HTTPS). Many online testing tools limit the scope of tests for Heartbleed to a subset of ports, thereby providing limited assurance and are focused on externally facing assets. During recent engagements, we are still finding Heartbleed, often on internal management systems where the disclosure of sensitive information could aid a malicious insider. It is also important to understand that the vulnerability may not only lie within an Operating System but also in any application containing and utilising a vulnerable OpenSSL library. Therefore an organisation’s approach to patching must be holistic and take both of these areas into account.
For those requiring defensible assurance, any service implementing SSL on any port should be tested and if required, treated. Additionally, whether vulnerabilities are found or not it may be possible that the Heartbleed bug was already exploited prior to discovery or patching. There are techniques that can be employed to flag telltale larger-than-typical TLS heartbeat responses from a server and additionally, reveal exactly what information was compromised.
However, a single test cannot provide certainty that the vulnerability will not be reintroduced into the system via the installation of an unpatched vulnerable application or embedded system. Therefore, it is vital that your ongoing assurance activity continues to check for issues long after they have left the media spotlight.
If you would like support in completing any assurance activity then please get in touch using:
contact-us@7elements.co.uk.
Background
The security bug, CVE-2014-0160, known as Heartbleed was disclosed in April 2014. Heartbleed directly affects the Transport Layer Security (TLS) cryptographic protocol that uses affected OpenSSL cryptography libraries (versions 1.0.1 to 1.0.1f). The aim of TLS is to provide communications security and privacy over the Internet. Applications that utilise this protocol range from Virtual Private Networks to email and web services.
Heartbleed exploits vulnerable OpenSSL libraries to compromise secret keys used to encrypt traffic, allowing access to transmitted data including usernames and passwords.
Additional Remediation
Research from the University of Maryland has identified that while many system administrators quickly applied patches to correct the Heartbleed vulnerability, many failed to properly implement revocation of current certificates and ensure the re-issuing of new new certificates. The final step of revocation and re-issue is vital, as the Heartbleed vulnerability could have been used to gain access to the private keys of a server.
Links
http://www.umiacs.umd.edu/~tdumitra/papers/IMC-2014.pdf
How to Detect a Prior Heartbleed Exploit