Analytics
4/14/2014
07:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Heartbleed's Intranet & VPN Connection

How the game-changing crypto bug affects internal servers, clients, and VPN networks -- and what to do about it.

It's been one week since the massive Heartbleed flaw was disclosed publicly and websites began frantically patching, but the potential danger of the bug being used to hack into businesses' internal networks and steal their data could last for years to come.

The attention initially focused on patching public-facing websites and protecting user credentials from Heartbleed, as well as sites' digital certificates. But the long-term ramifications of the Heartbleed encryption flaw in the widely deployed open-source OpenSSL library are slowly coming into focus: how cyberspies and sophisticated cybercrime gangs can or already have used the bug to infiltrate an organization's intranet servers, network devices, client machines, and VPN servers in order to steal valuable data.

"The immediate focus should have been on the perimeter and external websites. But the long-term devastation and real cost is from the internal [network] perspective," says Rob Seger, distinguished engineer at Palo Alto Networks. "Being able to steal all the data carte blanche is, in my opinion, a more lasting and negative" outcome of Heartbleed.

The list of potentially vulnerable internal assets is massive -- everything from internal web servers for mission-critical internal applications to SSL-enabled services such as FTP over SSL, VOIP phones, printers, VPN servers, and VPN clients. "The reality is that it's going to take 4-5 years minimum for the larger enterprises to clean this up," assuming they know where all their vulnerable SSL-based services and products reside in the network, Seger says.

Identifying and patching those internal Heartbleed-vulnerable systems will take time, and in many cases, not everything will get patched. Some lower-profile devices may not ever receive vendor patches, security experts say, and legacy systems could get lost in the patch shuffle.

A VOIP phone, for example, could be exploited to listen in on calls, and data within documents coming off a printer would be at risk of interception. Client machines, meanwhile, are vulnerable via a Heartbleed exploit service they connect to, which could collect data from those machines, experts say.

"This made it so a script kiddie can leverage APT-level attacks... by stealing a Python script off the web, he can do things only APTs can do," Palo Alto's Seger says.

Heartbleed is an implementation flaw in OpenSSL Versions 1.0.1 and 1.0.2 beta that leaks the contents of the memory from the server to the client and vice versa, potentially exposing passwords, other sensitive data -- and the SSL server's private key. OpenSSL developers inadvertently introduced the flaw in those versions of the open-source code at their release two years ago, but it was only recently that researchers at Google and Codenomicon discovered and reported it.

OpenSSL released a patch a week ago for the bug in the Transport Layer Security protocol's "heartbeat" extension, an extension to the protocol that checks on the site to which it is connecting to ensure it's connected and can respond. An exploit using the bug would allow an attacker to siphon up to 64 kilobits of server memory at a time.

The discovery of Heartbleed comes at a time when the security and privacy communities have been lobbying heavily for wider SSL adoption, reacting to revelations of widespread surveillance by the National Security Agency.

"We still don't have definite consensus on how bad this [Heartbleed] is yet," says Damon Rouse, director of IT for the defense and government contractor Epsilon Systems.

Rouse, who says his organization is mostly a Windows environment and so is not as widely affected by Heartbleed as some larger organizations, has spotted some false positives in his network pointing to Heartbleed attack activity. "We've seen a couple of false positives with some IPS rules we have put in place" on the network. One alert turned out to be a backup vendor's OpenSSL implementation that required a patch, which came the next day, he says.

Businesses and other organizations are beginning to take a close look at their internal web server interfaces, VPN concentrators, and other internal systems using SSL for encrypted sessions. "I have a red team group, and our collective feel is that this is something within organizations that has got a long-tail effect that's going to linger for years to never for some products that may have versions that may never receive a vendor patch," says George Baker, director of professional services at the managed security services firm Foreground Security. "This is a great vector for an advanced attack -- for a phish or a beachhead."

So how can organizations protect their internal networks from the potential bloodletting of Heartbleed?

Segment your internal network with virtualization. A flat architecture makes it too easy for attackers to move around laterally and get to targeted information, experts say. "Create logical barriers, especially around data centers," says Raj Shah, director of cybersecurity for Palo Alto Networks.

"If you can segment those networks internally, even if a patch is not available for a phone, or an embedded device, for example, you can move it to a place where laptops and systems that don't need to connect to it are segmented and segregated. Segregating internal network space is a huge risk reduction for an advanced attack," Foreground's Baker says.

Those VLANs can be set up via router access control lists or stateful firewalls, he says.

IPSes and data leakage protection systems should be updated to detect Heartbleed-type attacks, as well, and web application firewalls can help. "Usually, in these cases, it takes a while to understand you've been compromised," says Motty Alon, director of security solutions at Radware.

Heartbleed is a game-changing security event, Alon says. "It's something like what happened to airport security after 9/11. It will change all of the things we know, and there will be" multiple stages to the response.

Meanwhile, at least one anti-DDoS service provider says its service thwarts Heartbleed. Barrett Lyon, founder and CTO of Defense.Net, says his DDoS mitigation service automatically inspects traffic flows and validates protocols, and checks for oddities -- "if you connect in a strange way to an SSL server and the connection is not actually coming with it as if it's a web browser," for example.

Lyon says some companies may have to toss out equipment that can't be patched for Heartbleed. "We're going to hear from vendors we haven't heard from in a long time. It's going to have a ripple effect."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alexpth
50%
50%
Alexpth,
User Rank: Apprentice
5/22/2014 | 8:29:19 AM
Re: It's possible to analyze all traffic for heartbeat messages
If I use vpn service from some vpn providers, for example shadeyouvpn, such service protects me from this danger?
Tyson S
50%
50%
Tyson S,
User Rank: Apprentice
4/17/2014 | 12:13:48 PM
It's possible to analyze all traffic for heartbeat messages
ExtraHop analyzes all traffic to parse out transaction-level metrics, including the heartbeat messages used in this exploit. In this way, enterprise IT teams can easily monitor all potential Heartbleed attacks against any device acting as an SSL server. We've described this capability here: http://www.extrahop.com/post/blog/detect-heartbleed-exploits-with-extrahops-free-download/ 
AmmarNaeem
50%
50%
AmmarNaeem,
User Rank: Apprentice
4/17/2014 | 5:36:02 AM
Re: Obama Approved NSA’s use of Heartbleed for ‘National’ Interests
Heartbleed is a platform-independent problem that has exposed what is being called a two year old underlying weakness in the OpenSSL protocol. Major websites like Facebook and Tumblr have applied the necessary patches but mobile devices (smartphones) still remain unsafe. Android and iOS users can secure online privacy and internet freedom (until the patches/upgrades come out) by using VPNs to tunnel and encrypt their data. Heartbleed is Causing Damage & You Need to Protect Yourself. 
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
4/16/2014 | 8:20:55 AM
Re: Obama Approved NSA’s use of Heartbleed for ‘National’ Interests
@micjustin33,we also covered the White House's policy on using 0days here:

http://www.darkreading.com/analytics/white-house-details-zero-day-bug-policy/d/d-id/1204483?
micjustin33
50%
50%
micjustin33,
User Rank: Apprentice
4/16/2014 | 8:13:15 AM
Obama Approved NSA’s use of Heartbleed for ‘National’ Interests
After White house denied .. Obama approved NSA's use of Heartbleed for 'National' Interests.

The problem was lack of oversight/review, not usually a problem unless it's mission-critical like OpenSSL. Code's a mess tho.

Well that is kind of their (NSA) job, to decrypt things and stuff. Can't have the outside world too secure from the alphabet agencies now can we ...
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.