[Skip navigation links]

OpenSSL vulnerability widespread

By now most of you should be aware of the information about the serious vulnerability in OpenSSL, known as heart bleed, reported here:

http://heartbleed.com/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

http://www.openssl.org/news/secadv_20140407.txt

This means that the security protections normally provided by SSL certificates are not present if vulnerable systems are exploited; and attacks on data confidentiality and integrity may occur.  This affects any service and protocols that use TLS, such as web, IMAP, VPN etc.

Both Shodan and Metasploit have developed methods to conduct widespread scanning for this vulnerability, and hence vulnerable servers could be actively exploited by script kiddies and other malicious actors.

What this means for you

Comodo has provided additional information for its customers, including an advisory, which we recommend you read.

In summary these steps are:

  • identify vulnerable servers, then patch them.  Priority should be given to external facing systems.
  • replace the certificates on those servers by generating a new CSR  (as the private key material needs to be assumed to have been potentially compromised).
  • when the new certificate is installed, revoke the replaced certificate.

At present we know that the following servers are vulnerable and patches are available for them:

  • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
  • CentOS 6.5, OpenSSL 1.0.1e-15
  • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
  • FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)


But it is likely there are other operating systems and appliances which are also vulnerable for which the vendors are yet to release patches.  

Finding out if you are vulnerable

Some third parties, including Comodo, have provided web based systems to help you detect if publicly facing servers may be vulnerable to the heart beat vulnerability. There are also some tools which can be downloaded to scan and identify vulnerable systems yourself. 

While these services may be useful if you have no other means to quickly identify vulnerable systems, please note that these tools usually need to exploit the vulnerability in order to confirm that it exists.   In the process of using the tool, the integrity of your system's could be affected.  If you are using online third party tools then both confidentiality and integrity of your system could be affected; and the test itself may be contrary to your security policies.  You need to weigh up the benefits with the risks.

As more information becomes available we will update this page.

 Other useful references 

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

http://www.kb.cert.org/vuls/id/720951

http://auscert.org.au/19352

http://www.theverge.com/2014/4/8/5594266/how-heartbleed-broke-the-internet

http://www.thewire.com/technology/2014/04/what-you-need-to-know-about-heartbleed-the-new-security-bug-scaring-the-internet/360366/