Security Alert: "Heartbleed" OpenSSL Flatlines

By gTIC ·

OpenSSL has released the following:

OpenSSL Security Advisory [07 Apr 2014]

========================================

TLS heartbeat read overrun (CVE-2014-0160)

==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

The impact of this vulnerability can be widespread since many organizations not only utilize the service on various servers (such as Apache or nginx), but many security vendors also employ the service for their security appliances. It is recommended that organizations consult with security staff or vendor(s) to identify impacted solutions and available fixes/patches.

At this time, researchers have not identified any distinguishable traces left from an attack, which provides organizations minimal mitigation or remediation efforts. However, due to the heartbeat request having its own protocol record type, IDS/IPS systems may be configured to identify the use of the heartbeat request and be correlated with the sizes of the request and response as a possible means of detecting a potential attack.

FishNet Security recommends all organizations that utilize OpenSSL patch their environment, revoke all keys, consider these keys compromised and reissue and distribute new keys for all primary key servers. For all secondary devices, all users utilizing the SSL connection should change their passwords. However, organizations must be aware that any traffic captured by an adversary prior to patching may still be vulnerable to decryption. It is also recommended that OpenSSL users upgrade to version 1.0.1g.

Snort Signatures provided by: http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/

alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - SSLv3 Large Heartbeat Response"; content:"|18 03 00|"; depth: 3; byte_test:2, >, 200, 3, big; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 1000000; rev:1;)

alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - TLSv1 Large Heartbeat Response"; content:"|18 03 01|"; depth: 3; byte_test:2, >, 200, 3, big; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 1000001; rev:1;)

alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - TLSv1.1 Large Heartbeat Response"; content:"|18 03 02|"; depth: 3; byte_test:2, >, 200, 3, big; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 1000002; rev:1;)

alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - TLSv1.2 Large Heartbeat Response"; content:"|18 03 03|"; depth: 3; byte_test:2, >, 200, 3, big; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 1000003; rev:1;)

Additional material may be found at openssl.org/news, heartbleed.com and fullhn.com.