blog.atwork.at

news and know-how about microsoft, technology, cloud and more.

OpenSSL "Heartbleed" vulnerability infos

The "Heartbleed" vulnerability of OpenSSL is in the news - well, actually a big part of world´s computer systems can be affected. And your accounts too!

Who is affected? Are your passwords still safe? What to do?

I collected some information about the vulnerability here, hope it helps for your understanding.

What is OpenSSL and what is it used for?

OpenSSL is a common library on Linux for providing encryption functionality. The OpenSSL encryption software library is used by many websites to protect customers' data. OpenSSL 1.0.1 contains a vulnerability that could disclose sensitive private information to an attacker.

I´m not an expert in that technology, but it seems comprehensible that all information going over an OpenSSL connection (https://....) could be read along by hackers. This includes logins, passwords and sensitive data, see OpenSSL heartbeat extension read overflow discloses sensitive information.

IMHO Open Source - as good as it is - sometimes lacks quality control, otherwise I can´t understand why this issue could happen. Did not enough eyes look into the implementation, or was it that hard to find? Ususally I admire most Open Source projects because of their code quality... Anyway, let´s find out something about that issue:

About "Heartbleed"

So a remote, unauthenticated attacker may be able to retrieve sensitive information about the Heartbleed vulnerability and may be able to decrypt accounts and data (that would otherwise be protected by OpenSSL).

image

Graphics by www.businessinsider.com.

See http://www.openssl.org/news/secadv_20140407.txt for the "sober" description:

OpenSSL Security Advisory [07 Apr 2014]
========================================
TLS heartbeat read overrun (CVE-2014-0160)
==========================================
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.

So the issue applies to OpenSSL earlier than 1.0.1g and it was discovered by Neel Mehta with Google Security on the 7th April and got public on 8th April 2014. System Admins using OpenSSL should upgrade their Certificates to OpenSSL 1.0.1g (or 1.0.2-beta2).

Are Microsoft services affected?

No. Microsoft says, their systems are´nt directly affected (because they don´t use OpenSSL themself), see Microsoft Services unaffected by OpenSSL "Heartbleed" vulnerability by 10th April. So the implementation of Windows SSL/TLS is not impacted, as well as Microsoft Account, Microsoft Azure, Office 365, Yammer and Skype (along with most Microsoft Services) are not impacted by the OpenSSL "Heartbleed" vulnerability.

Also, Microsoft Azure and its services are not impacted - again: Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel) - see Information on Microsoft Azure and Heartbleed.

Well, virtual machines running Linux or software which uses OpenSSL may be vulnerable - but that´s up to the customer to fix within his machines or software.

What to do as IT-Admin?

If you are an IT-Admin and you are in charge of (Linux) machines or software using OpenSSL do the upgrade as soon as possible.

Consider this vulnerability also affects firewalls and loadbalancers!

If you have own certificates, you possibly should renew them. Even if providers or services like GoDaddy aren´t impacted directly, maybe there was an abuse somewhere in the (trust) line when creating and sending certificate data...? So I personally think it´s a good idea to renew certificates and public keys by time.

For example in Azure AD Microsoft changes the public keys that are used to sign security tokens every 6 weeks, see Important Information About Signing Key Rollover in Azure AD.

What every user should do

To ensure your personal accounts are secure, please change your account passwords (periodically) and use complex passwords. You can find information about strong passwords and test your passwords here.

You should definitely change passwords used for all services secured by OpenSSL:
AFAIK this includes Facebook, Amazon Webservices, Amazon, Google Services like GMail, Google Plus or Analytics, Flickr, Netflix, YouTube, Dropbox, as well as Firewall systems from Cisco, Fortinet, and so on ...

See The Heartbleed Hit List: The Passwords You Need to Change Right Now by Mashable
and Vulnerability Note VU#720951 for a list of affected systems!

As user consider to use multifactor authentication - a combination of something you know - typically a password) and something you have (a trusted device that is not easily duplicated, like a phone). Many website systems provide multifactor authentication like Microsoft, Google, Facebook, etc.

See Microsoft Azure - Multi-Factor Authentication!

Update 13. April: See affected major websites and services in the graphics of  venturebeat:

image

If you aren´t sure, do the password reset anyway!

Loading