A new bug in the OpenSSL software library, dubbed “Heartbleed” by the researchers that discovered and reported it, has potentially left many websites (and their users) vulnerable to snooping hackers.
Ars Technica reported on the vulnerability earlier this morning (Tuesday, 8 April 2014), after researchers that work for Google and software security firm Codenomicon published a blog post about the bug.
According to the researchers, the Heartbleed bug (officially CVE–2014–0160) “leaks” small portions of memory (64 kilobytes) to an attacker.
This, they said, can be used to get a server to disclose all kinds of secret information.
“We have tested some of our own services from [an] attacker’s perspective. We attacked ourselves from outside, without leaving a trace,” the blog post stated.
“Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”
The bug has been in the OpenSSL library for over 2 years, the researchers said, adding that according to Netcraft’s April 2014 Web Server Survey, over 66% of active sites on the Internet could be affected.
This is because widely used web server software Apache and nginx make use of OpenSSL.
“Very serious issue”
Senior security consultant at MWR InfoSecurity, Jacques Louw, said that this is exactly as scary as it sounds.
Louw said that attackers can potentially steal private certificates from websites and use these certificates to perform man-in-the-middle attacks. In other words, hackers could get their hands on a site’s private keys and use this information to impersonate those sites.
“[We have] also seen things like database credentials or even username and passwords leaked through internal testing,” Louw said. “The vulnerability leaks 64k blocks of the program heap, so [it’s] not always clear what you are going to get.”
Another aspect of the bug that is of concern is that exploitation of the vulnerability does not leave any trace, Louw said.
He noted that the bug only affects web servers using OpenSSL package, and only those using the newest versions of OpenSSL (1.0.1 and 1.0.2).
For this reason the majority of South African websites are not vulnerable as they use older version of OpenSSL (0.9.8), Louw said.
The 1.0.1g patch for OpenSSL has been released for most distributions of Linux, Louw said.
“Interestingly openssl.org was still vulnerable at 14:00 [South African time],” Louw said.
Perspective from affected party
A number of tools have popped up online to test whether a site is affected by the bug, and they suggest that there are some prominent South African sites that are vulnerable.
Gerd Naschenweng, chief technology officer of Bidorbuy.co.za, said that they heard about the issue last night and applied a fix to their Red Hat servers today.
He said that some Linux distributions seem to have different versioning for the OpenSSL library, with Red Hat indicating that the bug has been fixed in its 1.0.1e version of OpenSSL. This is despite Heartbleed.com indicating that all versions up to 1.0.1f are vulnerable.
“Although our systems are patched frequently, it is always surprising when a Linux vulnerability surfaces and we took the necessary measures to apply the patch as soon as it became available,” Naschenweng said. “In our environment we secure traffic via Verisign EV certificates and as part of Norton’s Trust Seal programme have daily malware scans and vulnerability assessments.”
Naschenweng said that it is difficult to say if they were affected by the bug, but he said he believes that the immediate patching removed any potential risk.
He reiterated previous statements made to MyBroadband that their webservers run in a “jailed” environment, independent from their transactional databases and systems.
“As such, even a breach into a webserver via this vulnerability would not have allowed access to transactional data,” Naschenweng said.
“We will discuss with our SSL providers (Verisign) if it is necessary to recycle our certificates and private keys for the certificates and will apply new certificates if this is necessary,” Naschenweng said.
Mweb’s technology team have told MyBroadband that the majority of their environments are Windows-based, with only a very small number of their sites (less than 5%) on Unix or Linux with OpenSSL.
The Mweb team also said that there is no way of knowing whether a server has been exploited in the last two years since OpenSSL version 1.0.1 was released, as no traces are left in system event logs.
“We are addressing this by revoking and reissuing certificates after the version has been updated,” Mweb said.