Critical security bug gets SA sites, hosts scrambling
A bug in the OpenSSL software library that has been dubbed “Heartbleed” by the researchers that discovered and reported it had websites and hosting companies, including many in South Africa, scrambling to deploy patches yesterday (Tuesday, 8 April 2014).
However, the security concerns caused by the bug do not end once the library is patched.
Heartbleed lets anyone, without any knowledge of a server or privileged access, obtain 64 kilobyte chunks of a server’s heap memory remotely without leaving any indication that they have “hacked” the server.
According to the researchers, this memory may contain usernames and passwords, and even the private keys used to sign a site’s certificate.
While the bug doesn’t affect all web servers, the majority (at least 66%, according Netcraft data) of sites on the web use software impacted by this bug.
“Pretty serious”
Asked about the seriousness of the bug, Chief technology officer for information security firm SensePost, Dominic White said that it is “pretty serious”.
White provided a link to a developer’s program on Github which scans Alexa’s list of top sites for the Heartbleed bug.
At around 21:00 last night 1,258 (or 12%) of the top 10,629 sites tested as vulnerable.
“That’s 12% of some very big name sites that are vulnerable,” White said. “But, that also means 88% of this list of big name sites aren’t vulnerable.”
By the time of publication (around 16:00, 9 April 2014), the tool reported that the number had dropped to 627 sites that appeared vulnerable.
Yahoo.com was among the vulnerable sites, and the web has been full of reports of security researchers who were able to get the usernames and passwords of Yahoo! Mail users due to the Heartbleed bug.
While being able to get sensitive data such as usernames and passwords is a massive security concern, White said they haven’t seen a proof of concept that actually exposes the private keys used to sign SSL certificates yet.
“This doesn’t mean it’s not possible, or isn’t coming, just that nobody has demonstrated it, despite numerous tools now existing,” White said.
If it is possible to get an SSL private key from the server memory in this way, White said that “a bad guy could put up a fake site with the real SSL certificate, or potentially decrypt encrypted communications they were intercepting.”
In short, this means that even if servers are patched there are larger ramifications that would probably require website owners to revoke their security certificates and obtain new ones, as well as advise users to change their usernames and passwords.
South African sites, hosts affected
Among the local sites confirmed to be affected by the bug were Bidorbuy and Capitec Bank’s corporate marketing website.
Bidorbuy CTO Gerd Naschenweng said yesterday that they had patched their servers and were waiting on advice from their certificate provider on how to proceed.
“We received feedback from Verisign that we should also recycle private keys and [certificates], so we are in the process of doing this as well,” Naschenweng told MyBroadband.
Kalahari.com’s Kirby Gordon said that they are aware of the issue and are not affected.
WebAfrica CTO Alan Kirton said that a proportion of their Linux-based hosting environment was susceptible to Heartbleed.
“We implemented all appropriate patches as soon as we became aware of the bug and we are busy advising our customers on the best ways to protect themselves,” Kirton said.
Mweb said that the majority of their environment are Windows-based and only a very small number (less than 5%) of their sites on Linux use OpenSSL.
While the fix is relatively straight-forward and was being rolled out to their current managed server estate yesterday, Mweb said that there is no way of knowing whether a server has been exploited in the last two years since OpenSSL 1.0.1 was released.
“We are addressing this by revoking and reissuing certificates after the version has been updated,” Mweb said.
Update: At 21:46 on Wednesday, Afrihost let us know that the Afrihost and Axxess sites have been patched. Tests with online Heartbleed vulnerability checkers confirm that the sites at the root domains for the ISPs are no longer vulnerable. It is worth noting that at the original time of writing the Afrihost Clientzone and Axxess Customer Control Panel sites were not testing as vulnerable.
Domain | Heartbleed vulnerability | |
Online banking | Currently vulnerable | Previously vulnerable |
netbank.nedsecure.co.za | No | No |
ib.absa.co.za | No | Unknown |
online.fnb.co.za | No | No |
direct.capitecbank.co.za | No | No |
encrypt.standardbank.co.za | No | Unknown |
Banks | Currently vulnerable | Previously vulnerable |
absa.co.za | No SSL | No SSL |
capitecbank.co.za | No | Yes |
standardbank.co.za | No | Unknown |
fnb.co.za | No | No |
nedbank.co.za | No | No |
E-commerce sites | Currently vulnerable | Previously vulnerable |
Kalahari | No | No |
Takealot (secure.takealot.com) | No | Unknown |
OLX | No SSL | No SSL |
Gumtree (gumtree.co.za) | No | Unknown |
Bidorbuy (bidorbuy.co.za) | No | Yes |
Wantitall | No | Unknown |
Have2have | No | Unknown |
Internet and hosting service providers | Currently vulnerable | Previously vulnerable |
afrihost.com | No | Yes |
clientzone.afrihost.com | No | Yes |
axxess.co.za | No | Yes |
ccp.axxess.co.za | No | Yes |
mweb.co.za | No | No |
myaccount.mweb.co.za | No | No |
telkom.co.za | No SSL | No SSL |
login.telkom.co.za | No | Unknown |
secureapp.telkom.co.za | No | Unknown |
webafrica.co.za | No | Unknown |
dsl.webafrica.co.za | No | Unknown |
Other services | Currently vulnerable | Previously vulnerable |
DStv | No | No |
Supersport | No | No |
South African banks respond
A Capitec spokesperson told MyBroadband that their IT Risk department said that their corporate marketing website was patched yesterday morning and that their Internet banking is not vulnerable to Heartbleed.
CEO for FNB Online Banking, Lee-Anne van Zyl, said that they are not vulnerable to the bug as none of their public-facing sites use OpenSSL for encryption.
Nedbank provided a similar answer, saying that an all their critical transactional systems have been reviewed and found not to be vulnerable.
“We are continuing our investigations on non-critical systems,” Nedbank said. “Where vulnerabilities are highlighted, we will engage suppliers to provide the required mitigation in line with our standard processes.”
Absa and Standard Bank’s Internet banking system also do not appear to be vulnerable, but neither bank answered questions put to them on the matter.
Update: An Absa spokesperson has provided the following statement:
We have robust processes in place to manage any potential risk that may arise on our network and this third party vulnerability would be treated and handled as such.
Update! Even if you don’t think you’re vulnerable
White said that there are a few good tools out for checking if your server is vulnerable, but warned that many aren’t complete.
For this reason you should patch your servers even if these tools say they aren’t vulnerable, White said.
More information security news
Massive security bug may leave SA sites vulnerable
Google user info requests for SA criminal investigations
Wi-Fi hacking quadcopter from SA security firm
Jolly Roger malware hits SA in a big way