As the effort to repair the "Heartbleed" OpenSSL vulnerability wreaks havoc across the Internet, one expert has cautioned that the extent of the damage caused by the bug won't be known for some time.
I've been around a long time in infosec, and this is one of the scariest bugs I've seen. Period.
Computer Security Consultants
The OpenSSL vulnerability, which was introduced to the open source encryption library's code more than two years ago, is the result of a missing bounds check in the handling of the TLS heartbeat extension, hence the "Heartbleed" moniker. An OpenSSL security advisory warned that the flaw could expose up to 64 KB of memory from any connected client or server.
Heartbleed was first revealed publically earlier this week when the OpenSSL Project released version 1.0.1g to address the issue, but the risk presented by the vulnerability has forced hasty remediation measures around the world. Because the flaw affects a wide range of products from Apache Web servers to various Linux implementations and even Android devices, virtually every organization is affected.
Even worse, simply upgrading systems to use the latest version of OpenSSL won't stem the tide, according to a variety of experts -- companies must also revoke potentially compromised certificates, issue new ones, and change out authentication credentials, a massive undertaking by any account.
Enterprises scramble to fix Heartbleed
Some companies, such as San Francisco-based content delivery network CloudFlare Inc., were gifted the benefit of an early disclosure, allowing them to patch the flaw before it was known publically.
Other organizations, including the Canada Revenue Agency (CRA), were not so fortunate. Though Canada's tax-filing deadline is April 30, the CRA chose to shut down its online tax services due to the possibility that Heartbleed could be used to attack citizens filing over the Web.
"After learning late yesterday afternoon about the Internet security vulnerability named the Heartbleed Bug that is affecting systems around the world," said the Canadian agency on its website, "the CRA acted quickly, as a preventative measure, to temporarily shut down public access to our online services to safeguard the integrity of the information we hold."
Jake Williams, principal consultant at Maryland-based CSRgroup Computer Security Consultants and an instructor with the SANS Institute, said in a webcast Wednesday that the dire nature of the Heartbleed vulnerability demands immediate action.
"This is not a joke. I've been around a long time in infosec, and this is one of the scariest bugs I've seen. Period. Don't take it lying down," said Williams in a webcast Wednesday. "To put this in perspective, this is much scarier than Conficker, much scarier than Stuxnet. This is so wide-ranging."
Williams said he has been experimenting with the vulnerability in recent days, and clarified that attackers can't choose where the memory is dumped, meaning they can't get the "whole range of data," only the data from the affected process actually running OpenSSL.
Unfortunately, attackers can take advantage of Heartbleed again and again without ever being logged or discovered, noted Williams, and the exposed data is more than tantalizing enough for attackers to exploit the flaw.
"The bad news is there's [a] lot of useful stuff in those regions of memory. Things like keys, or transmissions protected by SSL," Williams said. "So it is pretty juicy stuff."
As of late Wednesday, SANS research showed dozens of popular websites were still vulnerable to the flaw, but Williams said he wasn't particularly concerned by major vendors and Web properties such as Yahoo patching the OpenSSL vulnerability in a timely manner. It is believed Yahoo was not among the companies notified about Heartbleed ahead of time, and was scrambling to patch yesterday.
Instead, Williams pointed to small business partners and other "mom and pop" companies that rely on open source security technology like OpenSSL, but don't necessarily have the wherewithal to patch implementations in a timely manner.
In fact, he spoke about one situation he encountered at a client site this week that shows just how difficult it will be to weed out vulnerable OpenSSL implementations, which include versions 1.0.1 through 1.0.1f.
"I had tested the server and found it to be vulnerable. I scratched my head for a minute, and then I ran strings against the library and [found] that it's 1.0.1f, but they marked it 1.0.0," Williams said. "It turns out, and who knew, you can name the file anything you want. It's absolute craziness. I've run into this on multiple servers already."
OpenSSL vulnerability offers treasure trove for attackers
What makes the Heartbleed situation event trickier, noted Williams, is the fact that any traffic captured by attackers in the past could be subjected to an exploit using the OpenSSL vulnerability. That means that traffic that couldn't be decrypted last week can be today, he said, so customers should be in contact with vendors immediately to determine whether their sensitive data, including private keys and authentication credentials, could possibly be exposed.
Williams emphasized that even in cases where vendors have moved quickly to apply patched versions of OpenSSL, more action is required.
"Here's the scary part: Once attackers get that certificate, they can start playing man-in-the-middle hijinks," Williams said. "Again, anyone that was vulnerable long enough to know they were vulnerable, their certificates are stolen. Any data they had in-memory in those server processes, you can consider gone."
Michael Coates, director of product security for Mountain View, Calif.-based Shape Security and the chairman of OWASP, warned in a blog post that the most sophisticated attackers are the ones most likely to capitalize on the data transmissions Williams mentioned, which just a few days ago were thought to be secure.
"In order to decrypt data exchanged between a user and a website, the attacker must have access to network devices along the communication path," Coates said. "This attack could most easily be launched by state actors or criminal enterprises operating in collusion with network operators."
To begin cleaning up after Heartbleed, Dodi Glenn, senior director of security intelligence and research labs at Clearwater, Fla.-based ThreatTrack Security, said companies running OpenSSL should assume their certificates and keys have been compromised. For organizations that can't update OpenSSL, Glenn suggested disabling support for the heartbeat extension.
Otherwise, Glenn said those companies should begin the process of replacing any potentially compromised keys and certificates, and advise any customers that were possibly affected to change their passwords.
Williams advised vendors to be completely forthright with customers over whether they have utilized vulnerable versions of OpenSSL in recent years. If there is any chance a vendor exposed sensitive client data, it should go through all the necessary preventative measures, including updating OpenSSL, revoking potentially compromised certificates, and issuing new server certificates. "This is not a black eye," Williams emphasized. "Everybody was vulnerable."
He warned customers not to rely on vendors to be totally truthful, however, counseling them to press for answers on exactly which versions of OpenSSL each of their vendors were running and when. In the meantime, Williams said to replace all usernames and passwords that may have been affected.
"Microsoft silently patches bugs. Adobe silently patches bugs. I see them in the updates all the time when I'm going back and looking at the binary-level patches," Williams said. "I don't put it past any vendor to do the same in light of this bug and then claim they were never vulnerable. Don't assume here."