Knowledgebase:
HeartBeat Exploit
Posted by Jeff H. on 10 April 2014 10:25 AM

HeartBleed Exploit

 

There is a lot of news about an exploit in OpenSSL. 

 

I am still researching about the issue but on intial assessment the media is overhyping this issue as a one exploit-fit-all. 

 

Many media reports say security reasearchers are "scrambling".  This is not really the case - at least with Red Hat/CentOS. The issue was identified and fixed within 24 hours. 

 

First, before freaking out, be sure that you understand whether or not this vulnerability actually applies to you.

 

 

Update: Mar 9, 2014 14:27 EDT.

We have completed our Nessus audits for the heartbleed exploit and all systems and services are clear.  The Nessus Plugin is far more in-depth than the public scanning tools.  An issue with some of the public scanners is that they do not check for SSL on email services or properly handle STARTTLS on ftp and email services.  The Nessus plugin covers these items.

There is no way to know if someone used this attack to collect data from your server.  I've not seen any reports from trusted sources about this attack being automated or used extensively in the wild.

 

Who's Impacted?

This applies to you ONLY and IF ONLY you are using RHEL/CentOS 6.5.  Other OS versions we support are not impacted.

You can find more on this on Red Hat's update.

https://access.redhat.com/site/announcements/781953

 

Am I at Risk?

Even if you are using CentOS/RHEL 6.5, note that:

 

If you are not using SSL services (HTTPS, IMAPS, POPS, SMTPS) to secure sensitive data, then you are not at risk.

If you use TLS/SSL, but do not send highly sensitive information (over the past 24 hour), then this is not a high priority.

 

If you have sent senstive details via TLS/SSL encrypted channels, then data could have been stolen.

What's at Risk?

The attack allows someone to view about 64KB of data that is stored in the memory reserved by the SSL protocols.   There's no way for someone to search or specifically request certain information.  Using repeated attempts, someone could possibly gather important information such as the private key.

Usernames and passwords could be leaked IF and ONLY IF the data was present in the memory.  Since services restart and memory gets re-claimed, the data would have to be recently accessed. 

If someone obtains your private SSL key, they could use this data to decrypt future HTTP sessions, thus compromising the security.  However to decrypt a SSL session, they would have to hijack or listen to the HTTP session to begin with.  The latter would require an additional security compromise.

 

So the key items that may have been compromised could be:

  • SSL private key
  • Username/passwords if transmitted via TLS
  • Any collateral data stored in the TLS memory

While I do not have evidence, personally, I think this is a low-risk issue for our customer base. 

 

Was I Compromised?

Currently, I know of no way to determine if you were specifically compromised.  This would require detailed log anaysis of HTTPS or other TLS requests and then also trying to determine what was in memory at that time.  Even then, there's no way to know what the attacker would have received as a payload.

Security Update

Red Hat and CentOS have both released patches.  Our management platform will automatically deploy these updates once they are released to the repos used by your server. 

We must restart HTTP and email services to apply these updates.  Once we confirm the updates are applied, we will restart the impacted services.

Warning

Do not use "testers" from untrusted sites.  Hackers often setup and promote testing and security tools around such exploits. If you use them, you may just add your site to their list of possible targets.

If we find a legitimate testing tool, we will post it here.

 

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1084875

https://rhn.redhat.com/errata/RHSA-2014-0378.html

http://www.openssl.org/news/secadv_20140407.txt

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

 

 

 

 

 

(0 vote(s))
Helpful
Not helpful