My original intention was to post on the much anticipated death of Microsoft Windows XP. Though the arrival of the heartbleed vulnerability in OpenSSL seems to have rather trumped that. Though this blog was never intended to be a news service, and many excellent such blogs already exist – this is a situation well worthy of comment.
CVE-2014-0160 was posted on the seventh of April 2014 and concerns the leakage of information from systems using some versions of the OpenSSL security and encryption library. The problem started to appear at the beginning of 2012 and patches have only just become available.
What it does
This post is not designed to give full technical details; those are available at the links listed at the end of this article but rather to alert our customers and employees to the potential seriousness of this problem. The basic problem is pretty simple, when a malformed read request is sent to a vulnerable system it responds with the contents of a 64k chunk of the victim machines’ memory. That memory could contain all sorts of sensitive data and tests have confirmed that this could include the websites private encryption keys. Thus, compromising the site completely.
The most important considerations that I can think of are:
- It is an over simplification to say that Linux systems are vulnerable and Microsoft systems are not, but prioritising Linux and open source systems is reasonable
- Many older builds of OpenSSL are not vulnerable, in particular those based on version 0.9.8
- The attack appears to be silent, there will be nothing in the server logs and network IDS vendors are only now starting to provide signitures
- Just patching does not cure the problem, as you cannot tell if a site has been previously compromised, the vulnerable keys (certificates etc) may need to be replaced
- Once lost, such information can be used to imitate a site and trick users into accessing a rogue site
- Proof of concept attack code has already been published
- The Rapid7 Metasploit framework now has an openssl_heartbleed module
- Responsible sites have already starting patching and renewing HTTPS certificates, and revoking the old ones
- Checks for revoked certificates are not often ideal, leaving us with website spoofing problems
- The attack is reported as by-directional, clients are at risk as well as servers
- Don’t rely on the default package included in a distribution, check what is actually running on your systems. An application (for example) may have replaced the default library with a vulnerable one.
- Getting the precise version number of the OpenSSL library is not always obvious, please check carefully with the vendor
- Vendors, testing services, applications, repositories etc are all racing to catch up, do not assume that no news is good news
The following are all external links, please treat them with the usual care. This is still an emerging problem, it may be necessary to check back later as more information becomes available.
Coverage report from netcraft:
Why revocation might not be enough:
The effect on TOR (those really needing Web anonymity are best advised to wait for things to calm down)
Test a public facing site (SSL from Qualys, expect this site to be rather busy just at the moment)
As for XP, perhaps we need to wait a few weeks to see what happens, I’m not alone in believing that the attacks against XP will come slowly but the attacks against this will come quickly