Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)

Managed WAF

Starts at $99

Guided onboarding, monitoring of latency, false positives, and DDoS attacks, custom rules, and more

Try Free For 14 Days

Security heartache: OpenSSL Heartbleed

Posted DateApril 11, 2014
Posted Time 4   min Read

On April 7th, a major vulnerability in OpenSSL, the most prevalent software used for encryption and other purposes on the web and the internet was discovered. Here are details about what it is, how it affects everyone, and what needs to be done.

SSL, known as the secure socket layer, is the preferred protocol used for encryption. OpenSSL is its most common and open-source implementation. Websites that use encryption, payment gateways, VPNs, apps — including mobile apps, all use SSL and a large majority of them use OpenSSL. The two most common web servers Apache and Nginx, which comprise more than 60% of web servers on the internet use OpenSSL when they use the HTTPS (that is the encrypted version) version of HTTP. Most operating systems use OpenSSL for various modules, so these modules are also affected.

What is Heartbleed Vulnerability?

This vulnerability was discovered by three researchers — Neel Mehta from Google and two others. What this vulnerability does is allow a malicious user to steal sensitive information such as private keys, passwords, etc. The vulnerability is present in a module of OpenSSL called TLS heartbeat extension which is used to generate heartbeat messages. Hence the name Heartbleed for this vulnerability. This heartbeat handshake is usually done during the negotiation time of the SSL protocol and much before HTTPS takes over, in case SSL is used under HTTPS. Thus, the vulnerability is not present in layer 7 but rather at layer 4. As such, signatures to block this vulnerability if any – and none are available as per this time as per our information — have to be in the IDS / IPS and not in the WAF.

Which versions of OpenSSL are affected by this vulnerability?

This vulnerability affects OpenSSL versions 1.0.1 to 1.0.1f and version 1.0.2-beta, 1.0.2-beta1. Earlier versions such as the 0.9.x versions or 1.0.0 are not affected. In fact, the heartbeat feature was introduced by OpenSSL in 1.0.1 itself and was not available in earlier versions. However, earlier versions may be vulnerable to other vulnerabilities such as the BEAST vulnerability so be careful to check for those, if you intend to go back to an earlier version to fix this vulnerability.

Which software is affected and which is not?

The vulnerability is in a module called the TLS heartbeat extension of OpenSSL. As such, software using OpenSSL which uses this extension is affected. This includes web servers using HTTPS such as Apache, Nginx, VPNs such as OpenVPN, lots of Cisco software, and software of many other vendors. One software that is not affected is OpenSSH. OpenSSH, even though using OpenSSL, does not use the TLS heartbeat extension, and hence it is not affected. Mobile applications that use OpenSSL are also affected.

How critical is Heartbleed?

Heartbleed is a critical vulnerability. To get into a bit more detail, the Heartbleed vulnerability allows a malicious user using a client to get 64K of memory from the server. Now, this memory can potentially contain sensitive data such as private keys. Once one gets the private keys, the server can be impersonated. Thus Heartbleed needs to be fixed or taken care of immediately.

While Heartbleed existed in the OpenSSL software for about two years back, it was discovered only recently. The disclosure was made public on April 7th along with a version of OpenSSL ( 1.0.1.g) that has the fix. So, it is not really known if it has been exploited. Further, if exploited, Heartbleed leaves no trace in the logs, etc. unless one logs every SSL/TLS transaction which is hardly practical. So, really we do not know if it has been exploited in the past, but if you have a server running a vulnerable version of OpenSSL and it was accessed anytime from April 7th, one cannot assume that you were not compromised.

What are the fixes?

OpenSSL has released a version of OpenSSL called 1.0.1g which has fixed the vulnerability. This was released on 7th April. So, the best option is to upgrade from a vulnerable version to 1.0.1g. The other option is to recompile from the source the version of OpenSSL which you are using currently but with the flag –DOPENSSL_NO_HEARTBEATs. This will disable heartbeats and so circumvent the vulnerability.

Further, it is important to regenerate all keys generated from a vulnerable version.

In case one is using an OS such as Ubuntu, versions of Ubuntu from 12.04 are vulnerable. Ubuntu has an upgrade available.

The version of OpenSSL that fixes this ( Ubuntu will automatically upgrade to this version; go to http://askubuntu.com/questions/444702/how-to-patch-the-heartbleed-bug-cve-2014-0160-in-openssl) is called 1.0.1-4ubuntu5.12

How to test for this vulnerability and how does one test the fix?

One way to test for the vulnerability is by going to this site and entering the name of the site which needs to be tested.

http://filippo.io/Heartbleed/

Indusface Web Application Scanning uses its application scanning capability to check for this vulnerability and has done so for most of its customers.

Are there any other workarounds other than upgrading OpenSSL etc?

Here is an immediate workaround in case you are running a website:

In case you don’t have time to upgrade to a new version of Apache/Nginx which has a newer version of OpenSSL, one way is to install a different Apache server as a reverse proxy. Disable HTTPS from your current Apache/Nginx. And let all traffic go to your newer Apache/Nginx which should not be vulnerable and then let the newer Apache/Nginx work as a reverse proxy and let all traffic go unencrypted to your older web server. The newer reverse proxy can be deployed in your DMZ itself so there are no other security issues. The reverse proxy can also be used to deploy a WAF which can help secure your website from other vulnerabilities. You can contact Indusface for more details of such a quick solution.

You can start with the AppTrana Free Forever Website Security Scan to find out how it works.

web application security banner

Nandini Tandon

Nandini is the co-founder and Chief People Officer at Indusface. She is responsible for the evolution of Indusface’s culture as an organization that empowers its people through sound professional development. Nandini is dedicated to driving organizational development strategies that support the company’s global growth, talent management, rewards and recognition for its employees worldwide.

Share Article:

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Heartbleed or Shellshock
Heartbleed or Shellshock – Which one is more danger?

There have been several atrocious security vulnerabilities announced in the last few months, with “Heartbleed” in web servers and Shellshock in shell command lines. There are too many questions in the.

Read More
Heartbleed still bleeding your security
Heartbleed still bleeding your security?

Google and Codenomicon were responsible for finding the Heartbleed bug which had remained hidden for more than two years.

Read More
OpenSSL MITM CCS vulnerability
OpenSSL MITM CCS vulnerability and its impact

Within weeks of the infamous Heartbleed vulnerability in one of the world’s most commonly used open-source software OpenSSL, more vulnerabilities have been found in OpenSSL. One of the reasons for.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!