Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/8/2014
02:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Emergency SSL/TLS Patching Under Way

A "Heartbleed" flaw revealed in the OpenSSL library leaks the contents of memory, including passwords, source code, and keys.

The race is on to fix SSL-based websites and software in the wake of a newly revealed and dangerous flaw in the popular OpenSSL library for encrypting HTTP traffic, with nearly one-third of major websites potentially at risk.

OpenSSL released a patch yesterday for a read-overrun bug in its implementation of the Transport Layer Security protocol's "heartbeat" extension, an extension to the protocol that checks on the site to which it is connecting to ensure it's connected and can respond. If exploited, the bug leaks the contents of the memory from the server to the client and vice versa, potentially exposing passwords and other sensitive data and, most alarmingly, the SSL server's private key. OpenSSL Versions 1.0.1 and 1.0.2 beta are affected by the vulnerability, which was discovered by security researchers at Google and Codenomicon.

"This is very significant because the hack allows you to extract up to 64 kilobits of server memory at a time. So you submit some malformed request to the server, get 64 kbit/s of server memory and whatever is in that chunk of memory," Ivan Ristic, who heads up the SSL Labs at Qualys, told us. "By nature of things, it handles sensitive information, including the private key of the server. If you get that, you can impersonate the server."

SSL, which encrypts communications sessions on the web via websites, virtual private network, email, and instant messaging sessions, has become the battle cry of the privacy world in the wake of Edward Snowden's leaks of documents revealing controversial NSA surveillance programs. But most websites today do not use SSL -- or HTTP-S. Retailers, social networks, and other sites that handle sensitive user or financial information typically use SSL.

The SSL vulnerability may be the harbinger of things to come, now that Internet encryption is getting more attention and adoption, as researchers take a closer look at implementations. "It's clearly still better to have SSL... but the majority of the world does not," Ristic said. It's still much easier to attack sites not running SSL. "It's going to get worse before it gets better. These things are coming out because we are paying more attention to encryption, and now these things are coming to light."

Patching has been under way for many major operators and server vendors, including Debian, CentOS, RedHat, SUSE Linux, and Ubuntu, while others have been slower to update: as of this posting, Yahoo had not yet been updated for the flaw. "Many major websites have not been patched yet. It's difficult to do if you are running multiple devices that need to be patched for it -- you have to wait," Ristic said. "Someone with a large infrastructure may take some time to update. This is emergency patching all around the Internet."

To thwart attacks, experts say, organizations must either upgrade to the new OpenSSL 1.0.1g or recompile the library to disable the heartbeat function. The flaw is about two years old, and because any attack would be silent and undetected, experts recommend that organizations obtain new digital certificates.

"You may want to consider replacing SSL certificates if you are afraid that the exploit was already used against your site," Johannes Ullrich wrote in today's SANS Internet Storm Center Diary. "But the exploit is not limited to secret SSL key. All data in memory is potentially at risk."

The bug's exposure of the private SSL key is especially alarming to security experts. Meanwhile, multiple proof-of-concept tools are circulating online today and making it easy for attackers to exploit the Heartbleed bug.

"If they get the key, anyone who can intercept your communications can pretend to be the other end of the connection. So if you are connecting to your bank, do you want anyone reaching in and changing the dialog between you and the bank? So instead of asking for your balance, it transfers all of your money to hackers.us.com," for instance, said Andrew Ginter, industrial cybersecurity expert at Waterfall Security. "How realistic is it that anyone will intercept that communication? It's not that hard."

Jaime Blasco, director of AlienVault Labs, told us the flaw can be abused to steal, not only usernames and passwords, but also some elements of the application's source code. "The attack can be also combined with a man-in-the-middle attack to obtain credentials from the client before the server perform authentication."

Providers affected by the bug should not only patch but also replace their private keys and certificates for each of the services using the OpenSSL library, Blasco said.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
4/10/2014 | 3:15:31 PM
Re: On the backend
Let's analyze also the reply of principal web service providers. I made some tests and at 48 from the disclosure of the flaw the most popular website, and almost every bank has fixed the issue. This means that awareness machine has done a good job and that alerting on security and privacy issues is high

 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/9/2014 | 8:06:01 PM
Re: Change passwords and user names?
So regarding certificates, the prudent procedure is to revoke the old certificate once a new one is generated and placed into production. That propagates into the CRL and the end user's browser (or application) sees that the old certificate has been revoked and is therefore invalid, and provide notification prior to or prevent further action.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/9/2014 | 1:58:14 PM
Re: A failure of the many eyes test
This probably only scratches the surface of the kinds of flaws that will be found in SSL implemenations going forward. Encryption is more under the microsocope now.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
4/9/2014 | 1:51:06 PM
A failure of the many eyes test
OpenSSL fails the many eyes test. The many participants of an open source project are supposed to detect a major bug before it has a chance to be launched and cause mischief. This is a major bug, and I don't see how someone in the project didn't think to try what the security lab did and discover it. 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/9/2014 | 10:26:28 AM
Re: Change passwords and user names?
@jaingverda I was being facetious there. Most big-time sites would indeed have strong password enforcement. 
jaingverda
50%
50%
jaingverda,
User Rank: Moderator
4/9/2014 | 10:23:47 AM
Re: Change passwords and user names?
@Kelly Jackson Higgins, As a developer I find it appalling that companies are not instituting a password black list for the 100 most common passwords by now. We have it so you have mimum length and several casings but nothing concerning the most common passwords known. Do you have any ideas on why they would still be letting those be used?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/9/2014 | 10:03:55 AM
Re: Change passwords and user names?
The catch, of course, is getting everyday users/consumers to understand or even know they should change their password after the affected websites update for the flaw, get new certs, etc. Hoping the website owners will alert users of this best practice, and that they won't just go from Password 12345 to Password 123456. 
jaingverda
50%
50%
jaingverda,
User Rank: Moderator
4/9/2014 | 9:50:02 AM
Re: Change passwords and user names?
@Marilyn cohodas, I believe we are re-issuing new certifications to all our domains right now as for the black listing; I am not sure I am trying to find out about that. It's not really in my perview with my job description.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/9/2014 | 9:33:44 AM
Re: Change passwords and user names?
Thanks for sharing your personal response to to Heartbleed, @jaingverda. What is your organization doing about the certification blacklist issue? What options are you considering.

Curious to hear from other readers about their and concerns...
jaingverda
50%
50%
jaingverda,
User Rank: Moderator
4/9/2014 | 9:25:26 AM
Re: Change passwords and user names?
For once I don't think you can over stress the damage that has been done by this. As one write up put it we have no clue how long this could have been activily exploited. Changing passwords for everything would be great. Personally I know I am changing my passwords on anything that touches secure data ie finance, health history etc. Also I am going full tilt and finally getting last pass set up with the mobel app so I can have strong passwords for everything and doing the same for my family.

The other issue and it is germane to the discussion of the password reset is how to black list every single certification that was used during this time because we have to assume that they all have been compromised. I fear that were going to see a huge rise in man in the middle attacks here about a year or two from this.
Page 1 / 2   >   >>
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10101
PUBLISHED: 2019-07-23
ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side valid...
CVE-2019-10102
PUBLISHED: 2019-07-23
Voice Builder Prior to commit c145d4604df67e6fc625992412eef0bf9a85e26b and f6660e6d8f0d1d931359d591dbdec580fef36d36 is affected by: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The impact is: Remote code execution with the same privileges as the...
CVE-2019-10102
PUBLISHED: 2019-07-23
Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticat...
CVE-2018-18670
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "Extra Contents" parameter, aka the adm/config_form_update.php cf_1~10 parameter.
CVE-2018-18672
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board head contents" parameter, aka the adm/board_form_update.php bo_content_head parameter.