In real world deployments, the Heartbleed Bug is a bit different than a lot of other vulnerabilities we have seen. This issue exists in recent versions of OpenSSL and allows an attacker to harvest raw information from the memory of affected devices. Obviously, an affected device contains a front-door bug that needs immediate attention. Since there is also the possibility of undetected information disclosure, there must be some consideration for the associated impact of a data breach. In security conscious environments, there are several steps that must be performed in succession to fully address an affected environment.
Addressing the Heartbleed Bug
- Obtain and install a version of OpenSSL that isn’t affected by the vulnerability
- Confirm that the host is no longer vulnerable
- Consider the possible impact of prior disclosure of memory contents
- Private Keys/Certificate (rekey and reissue as required)
- User Credentials (expire and require new password at next logon)
- Embedded and/or Configured Credentials (www->SQL)
- Any other data that could’ve been in RAM
- Proper Monitoring, Forensics and Notification as required
My general thoughts on this are that the first two steps will be quickly performed on high risk web servers that use standard TCP ports. This is partially due to the coverage the issue is getting. However, my guess is that some organizations will fall short on steps 3 and 4. My additional concern is that Heartbleed may be overlooked in more obscure places. Some may be surprised at where it can be found.
Where Heartbleed is Found?
- OpenSSL running on TCP/443 for typical WWW servers
- Management Interfaces that run SSL
- SSL Terminating Load Balancers
- Web Application Firewalls
- OpenSSL used with other protocols (possibly SMTP, POP, SIP implementations)
- SSL VPN Appliances
- Anywhere OpenSSL is Used
My belief is that most installations that are already patched were likely not exploited. This is purely speculation so data leakage should be considered a possibility and addressed accordingly. I have more concerns around OpenSSL instances that aren’t remediated in a timely manner. Less obvious installations may not be found and patched for a period of time. In those cases, an eventual exploitation is more likely. There are plenty of obscure use cases for OpenSSL that may not be discovered by administrators.
There are broader use cases that may go undiscovered as well. Image the potential impact of a VMWare ESXi installation that is affected by this vulnerability. In a network that is unmaintained, this could go undetected for quite a while. Depending on the environment, this could be a significant risk that leads to subsequent disclosures. Additionally, consider the ramifications of something like this in a Cloud Service Environment. We’re probably going to be seeing repercussion from heartbleed for a while.
Where is the most obscure or concerning place you’ve found heartbleed? Comment Below–
Disclaimer: The opinions shared above are those of Paul Stewart. PacketU nor Paul Stewart accepts any liability due to action or inaction resulting from the content of this article or site.