Masergy Security Advisory – Heartbleed

Masergy Security Advisory – Heartbleed

CVE-2014-0160


The Heartbleed Bug

A new vulnerability which affects servers running certain versions of OpenSSL (Linux/Unix Devices) has recently been announced named “The Heartbleed Bug”. This vulnerability allows the attacker to steal information normally encrypted via SSL/TLS including secret keys (used to identify service providers & encrypt traffic), user names, passwords, and potentially any content in the memory. Common services that use SSL/TLS encryption are the web, vpn, email, and some instant messaging. Read more at: http://www.openssl.org/news/secadv_20140407.txt
Recommendations:

  • Upgrade OpenSSL to version 1.0.1g (recommended) http://www.openssl.org/source/
  • If you are unable to upgrade, then you can recompile OpenSSL with -DOPENSSL_NO_HEARTBEAT
  • It may also be necessary to re-key your SSL certificates with a new key, new certificate signing request, and new certificate issued by your SSL certificate vendor since a vulnerable system has potentially leaked its SSL/TLS private key

Systems Affected
Linux/Unix (Windows machines should not be affected)

Vulnerable Versions:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

NOT Vulnerable Versions

  • OpenSSL 1.0.1g
  • OpenSSL 1.0.0 branch
  • OpenSSL 0.9.8 branch

While other systems can be vulnerable, the following is a list of common distributions that have shipped with the vulnerable OpenSSL:

  • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
  • CentOS 6.5, OpenSSL 1.0.1e-15
  • Fedora 18, OpenSSL 1.0.1e-4
  • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
  • FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)

Current Masergy Security customers will have the ability to detect the following alerts:

Alert Detection:

WEB:HEARTBLEED-OUT

Outbound response to a malformed HeartBeat request indicating the web server is running a version of OpenSSL vulnerable to CVE-2014-0160. CVE-2014-0160 is a bug in the TLS heartbeat implementation of OpenSSL and affects OpenSSL version 1.0.1 to 1.0.1f. TLS heartbeats are used as “keep alive” packets so that an encrypted connection can be kept alive for later use. The vulnerability occurs because the attacker can send a small heartbeat request but specify a large payload length; when that occurs OpenSSL will overrun the length of the payload and send back data from its own memory. This is a critical vulnerability and may result in the loss of data including message contents, user credentials, session keys or even the server’s own private keys.

WEB:HEARTBLEED-IN
Inbound malformed TLS heartbeat packet attempting to exploit CVE-2014-0160. CVE-2014-0160 is a bug in the TLS heartbeat implementation of OpenSSL and affects OpenSSL version 1.0.1 to 1.0.1f. TLS heartbeats are used as “keep alive” packets so that an encrypted connection can be kept alive for later use. The vulnerability occurs because the attacker can send a small heartbeat request but specify a large payload length; when that occurs OpenSSL will overrun the length of the payload and send back data from its own memory. This is a critical vulnerability and may result in the loss of data including message contents, user credentials, session keys or even the server’s own private keys.

We've updated our privacy policy. We use cookies to improve the experience of our users, better understand how our website is used, and personalize advertising. By continuing to use this site you are giving us your consent to do this. You can read more and make cookie choices by visiting our privacy policy.