Catastrophic bug in OpenSSL

08. April 2014 Security 10

A bug was discovered in OpenSSL, CVE-2014-0160, that has since been named “The Heartbleed Bug”. If you have not heard about this, have a look at this website that explains the bug in detail much better than I can with my limited understanding of crypto. In short:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The bug is said to affect 2 out of 3 web servers on the internet which is a staggering amount. This can include your website hosting server, your banks web server, email server etc etc. What’s worse is that this bug has been around since 2011 and those that have potentially been exploiting this bug have gone undetected as exploits leave no trace on the affected server. OpenSSl is an open source piece of software that is used all over the world including OS X. However, from what I can tell, all versions of OS X are not affected by this bug.

The vulnerability was introduced in OpenSSL version 1.0.1 in early 2012 and was not fixed until April 7th of this year when version 1.0.1g was released. Luckily, Apple had decided to deprecate OpenSSL from it’s systems in 2012 due to stability issues. The last version of OpenSSL shipped by Apple was 0.9.8y which is still included in the latest 10.9.2 Mavericks. OpenSSL has also never been provided as a part of iOS. This goes for both Client and Server versions of OS X.

Even though Macs and iOS devices are safe from this particular bug, there are still many servers out there that do not run OS X and/or have chosen to upgrade the OpenSSL on their OS X machines themselves. Connecting to these vulnerable servers can still compromise the data that is supposed to be encrypted. Now that the word is out, administrators all over the world are scrambling to update their versions of OpenSSL but it is a race against the clock. As with all newly discovered vulnerabilities there are many people out there that are eager to exploit them before they get fixed. Exploits have already been demonstrated and discussed for Yahoo Mail for example. Any server that has not updated their OpenSSL to version 1.0.1g will remain vulnerable and unfortunately there will be many that take their time updating, if ever. There is a way to use a current version and still patch it to fix the vulnerability. Apparently recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag is equally effective.

It is recommended to check with the companies/services you use if this bug was a concern and if so, if it has been patched. If it has indeed been patched, change passwords immediately. Changing passwords before the bug is patched is useless as the new password can be compromised just as easily as the old one. Luckily most responsible companies and services are doing everything they can to update their OpenSSL versions and proudly let their customers know this process is underway or completed. For all others, follow up yourself.

For years we assumed this portion of the internet was safe, only to be proven it was not later. Now that there is a fix we can all go back to believing it’s safe, or can we? Probably not. By now we all know that the illusion of safety is just that, an illusion. Ed Snowden has opened our eyes to that. More vulnerabilities will be discovered in systems we trust, not just OpenSSL. As we are not psychics we won’t know what these vulnerabilities will be so it’s hard to prepare but there are some ways you can better protect yourself.

In this particular case, let’s say your mailserver is running a vulnerable version of OpenSSL, and someone has exploited it. That person now has your name and password. If you use the same password for other sites and services, that person can now potentially access those as well, even though those other servers were not vulnerable to this particular bug. So, always use different passwords for different sites and services. This way if one is compromised, the other should be safe. I have covered passwords before here, here and here. Luckily the severs hosting this website, our email, my bank and other services I use have all patched and/or updated their servers.

Update: Something I had not even thought about was brought to my attention by this article. Indeed most modems, routers, firewalls and other network equipment use OpenSSL as well. Disabling remote management features on most common home routers should be enough to protect yourself from this particular bug but this will not be easy on modems, which use SSL connections that allow your Internet Service Provider secure access remotely when you call tech support about an issue.

If readers have more information on this that may be relevant please do not hesitate to leave comments.

More info:
Business Insider
CNN


10 thoughts on “Catastrophic bug in OpenSSL”

  • 1
    blasev on April 11, 2014 Reply

    I’ve read your link and I see grim picture. although I can update/setup my router, but I cant do nothing to my ISP modem.
    if this the case than I want to ask, even if the web server is fixed will we still be vulnerable if ISP modem is not updated?

    • 2
      Jay on April 11, 2014 Reply

      I believe so, yes. When a secure connection is made to your modem by the ISP, if the modem is vulnerable, the ISP login details could be captured. I do believe most ISP’s use VPN connections for this type of thing so I’m not sure if that prevents snooping. Either way probably best to contact your ISP and ask them about it.

      • 3
        blasev on April 12, 2014 Reply

        I will end up explaining to them than the other way around 🙂

        • 4
          Jay on April 12, 2014 Reply

          Ha, yeah most likely. Just asking the version of OpenSSL they use (if they even use OpenSSL) should be enough, without having to explain why you want to know. You might have to wait some time before you speak with someone that can tell you though. Good luck and let us know how it tusrns out 🙂

      • 5
        Al Varnell on April 14, 2014 Reply

        My comments apply only to DSL/Cable modems that do not include a router function.

        When I was still able to log into my cable modem, there was no setting to prevent remote management and later on Comcast changed the logon credentials which actually made me feel better about it from a security standpoint.

        My current modem was locked down when it was installed. I can still see the statistics without a secure connection, but am not be able to make any changes, even if I wanted to.

        I can’t think of any way to exploit a modem, even if I was able to capture the login credentials, so I’m not sure what the concern would be.

        • 6
          Jay on April 14, 2014 Reply

          If login details for a modem can be captured I can imagine all kinds of havoc. In the case of my older Comcast modems where the name and password can be guessed even without a bug like Heartbleed someone can log in, set up or change my wifi details, join my network and possibly compromise other devices on that network. If the modem is also used as a firewall, this can be tweaked or disabled to allow all kinds of traffic one would not want. Having unauthorized access to my modem (specially those all in one boxes like most ISP’s use these days) is a nightmare I do not even want to think about.

  • 7
    blasev on April 13, 2014 Reply

    I choose not to contact them, since the last time I did my blood pressure gone up. but I did find that my ISP modem is running old firmware, dated before 2010. so that makes me sad and glad in the same time 🙂

  • 8
    jem on April 23, 2014 Reply

    Has the Heartbleed bug damaged VPNs? such as private internet access?

Leave a Reply

Your email address will not be published. Required fields are marked *

*