The OpenSSL Heartbleed Vulnerability


On April 7th, the discovery of the OpenSSL bug dubbed "Heartbleed" was disclosed through public channels. Researchers found that a crafted "heartbeat extension" packet could recover data from adjacent areas of memory on a client or server. This data, with luck, could be information pertaining to keys, certs, logins, passwords or other highly sensitive information.

Not only is the vulnerability serious, but the fact that it hits the OpenSSL library is even more concerning. This is because a huge number of apps, including the vast majority of web servers across the internet, rely on OpenSSL.


What the potential exploit is:

The faulty heartbeat extension implementation allows for the client to call for information in a block that is larger than the actual amount of information it is asking for. This allows the attacker to read data from unintended areas of memory.



This data can be completely benign, or something crucial, or fragments of data. This will be radically dependent on how the system is set up, and what the system is doing at the exact moment the exploit is attempted. The biggest problem with this exploit is the attacks leave no trace, so they can be repeated a huge number of times trying to scrape up important user data like keys, passwords, and certificates. Even worse, the server being attacked leaves no indication that data has been compromised or lost.


Countermeasures:

As of this writing most VPN services have not responded to the public with regard to how they have handled Heartbleed. OpenVPN uses OpenSSL by default on all platforms, and it specifically has a vulnerable version of OpenSSL built into the Windows client. There is an updated version of the OpenVPN client with the vulnerability corrected. Tunnelblick (the open-source client for Apple OSX) was also updated today to close their OpenSSL Heartbleed vulnerability. The OpenVPN Connect apps do not require updates. They use PolarSSL which is not vulnerable to Heartbleed.

The VikingVPN team pulled an all-nighter and had a solution implemented early this morning (shortly before our transparency post about Heartbleed). Our clients are no longer at risk, because we force all clients to use the tls-auth setting in OpenVPN.

Some providers do not use tls-auth, and clients will still be vulnerable to attack until their servers are patched, their keys and certs regenerated, and the client is patched.

As for web servers that run OpenSSL, at this point the best solution is to update OpenSSL (most Linux and BSD repositories are now carrying the fixed version) and to assume that any keys and certs on the server may be compromised. This means creating or purchasing a new SSL certificate for the website, and generating new keys if you use a static key system.


More information:

http://heartbleed.com/

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

https://blog.torproject.org/blog/openssl-bug-cve-2014-0160

https://www.openssl.org/news/secadv_20140407.txt








Learn why Viking VPN is the Fastest VPN Service Provider.

< last
next >