Open Stack

Thanks Malini, excellent summary.

It’s worth re-iterating this point from the email below: Any secrets that you have previously communicated, API keys, passwords, credentials should be considered compromised.

A second important point that isn’t being that widely discussed is the possibility that certificates and keys have been stolen and can be used to impersonate TLS servers. Now these certificates can be revoked, but that doesn’t buy you much outside of the browser, support for CRL’s is spotty in system crypto APIs (and you almost certainly haven’t downloaded them) and OCSP is basically non-existent for most client libraries.

--
Robert Clark
Lead Security Architect
HP Converged Cloud


On 8 April 2014 at 12:17:37, Bhandaru, Malini K (malini.k.bhandaru at intel.com<mailto:malini.k.bhandaru at intel.com>) wrote:


From: Ryan Ware [mailto:ryan.r.ware at intel.com]
Sent: Tuesday, April 08, 2014 7:11 AM
To: OTC ALL
Subject: OpenSSL Heartblead (CVE-2014-0160)

I wanted to take a moment and make sure everyone knows about this critical security vulnerability.  While system administrators in OTC (and outside) already know about this, I also know that people have many side projects and personal infrastructure as well.

The comment with the OpenSSL patch that fixes this issue can be found here (https://www.openssl.org/news/secadv_20140407.txt) but since it's short I'll reproduce it as well:


OpenSSL Security Advisory [07 Apr 2014]


========================================





TLS heartbeat read overrun (CVE-2014-0160)


==========================================





A missing bounds check in the handling of the TLS heartbeat extension can be


used to reveal up to 64k of memory to a connected client or server.





Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including


1.0.1f and 1.0.2-beta1.





Thanks for Neel Mehta of Google Security for discovering this bug and to


Adam Langley <agl at chromium.org<mailto:agl at chromium.org>> and Bodo Moeller <bmoeller at acm.org<mailto:bmoeller at acm.org>> for


preparing the fix.





Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately


upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.





1.0.2 will be fixed in 1.0.2-beta2.


Note that it is remotely exploitable and you will not find anything in your logs indicating you were attacked.  If you were previously attacked, it is very possible that private keys, passwords or anything else in the server process' memory space could have been leaked so you probably have more remediation to do (generate new keys, passwords, etc.) than just patch.

There is a decent article here (http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/) with more info.  There is also known exploit code in the wild such as here (http://s3.jspenguin.org/ssltest.py).  There is also more information here (http://heartbleed.com/).

Please take this vulnerability seriously.  This is the most significant CVE I've seen in a long time.

Ryan