Last week on April 7th the web was rocked by a security bug called Heartbleed. It’s a flaw in a commonly used security system, OpenSSL, which nearly two-thirds of all websites globally out there use to keep information secure. The media has had a field day with this news and unless you live under a rock you’ve probably already heard about the Heartbleed Bug or seen its logo. The flaw in the system lets attackers eavesdrop on Web, e-mail, and some VPN communications. Not only are servers using OpenSSL affected by this vulnerability, network gear from Cisco and Juniper Networks using OpenSSL are affected as well.
Both Cisco and Juniper say they are uncertain as to the impact of Heartbleed on their equipment, but both assure there will continue to be updated advisories as they uncover the extent of the problem. In one of Juniper’s initial advisories it references the effects of Heartbleed as, “allow(ing) remote attackers to obtain sensitive information (such as private keys, username and passwords, or contents of encrypted traffic) from process memory via crafted packets that trigger a buffer over-read. In its advisory report, Juniper details a long list of the equipment that has been impacted by these vulnerabilities.
Cisco released its advisory revision 1.5 yesterday stating, “Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.”
In Cisco’s report they go on to explain the problem saying, “The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or Datagram Transport Layer Security (DTLS) client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. An exploit could send a specially crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords.”
So far, Cisco has confirmed about a dozen products that are “vulnerable” to the exploits of the Heartbleed Bug, plus another list of over 60 products that are considered “affected” because of OpenSSL, but they are still being investigated to determine the extent of the affects. Also, about two dozen other Cisco products have been determined to be not vulnerable to the Heartbleed Bug. It should be noted that this list will continue to change and update as Cisco makes software security updates available. Open-source OpenSSL group has issued software updates to patch the Heartbleed flaw, but Cisco says the appropriate process for Cisco products relies on Cisco evaluation and patch updates directly from Cisco. Heartbleed is resulting in a staggering amount of ongoing work by Cisco engineers to determine its impact on Cisco gear.
Unfortunately, the flaw appears to have existed for nearly two years because of a coding mistake that was recently discovered by Google and Codenomicon security researchers. A German software engineer named Robin Seggelmann of Munster, Germany has reportedly accepted responsibility for inserting what experts are calling a mistake of catastrophic proportions into the open-source protocol OpenSSL used by millions of websites and servers, leaving them open to stealing data and passwords that many think has already been exploited by cyber-criminals and government intelligence agencies. Seggelmann made the mistake while adding some new features to the OpenSSL code. He says he “missed validating a variable containing a length,” and this oversight, “though trivial,” was a simple error. But, the error was a mistake with enormous consequences, consequences that will likely be around for the long haul. Wayne Jackson, CEO of Sonatype, says “OpenSSL is embedded in a huge array of technologies -- routers, wifi, hubs, firewalls, control systems,” and much more, he noted. And these are not necessarily easy or often updated. “This issue will be with us for a long, long time,” he adds.