What we thought was secure—Web servers, routers, virtual machines, virtual private networks, and even client software—isn’t so safe, after all.
Just about everything that relies on the open source cryptographic software OpenSSL is compromised by the Heartbleed bug, which can leak the contents of the memories of these networks and devices to compromise your security.
Heartbleed can expose data in random 64KB “heartbeats,” and while each leak is limited to 64KB of memory at a time, an attacker can keep connecting to collect more data, which can include sensitive data like passwords, private encryption keys, and website cookies.
While the Heartbleed bug was initially known to compromise secure Web servers, the list of affected devices has extended to routers and other products from Cisco and Juniper Networks, virtualization software from VMware, OpenVPN’s private networking software, Oracle software (though not clear), and may extend to devices like phones.
And then there’s the Trojan horse, “Reverse Heartbleed.”
Vulnerable From Within
Heartbleed’s blade cuts across both servers and clients. It can be used in reverse, by tricking a website to come to you, according to Brad Buda, CTO and founder of Meldium, a San Francisco-based firm that sells account and password protection software.
Meldium has created a web site called reverseheartbleed.com, where you can test whether your client’s security has the reverse Heartbleed vulnerability.
“Many organizations have hosts which initiate outbound SSL connections (pulling updates, fetching images, or pinging webhook URLs),” the site states. “These hosts are often on a separate infrastructure (with different SSL dependencies) within the organization firewall. These hosts may be vulnerable to the reverse Heartbleed attack.”
The post lists potentially vulnerable clients, including traditional clients and open agents.
- Traditional clients include browsers, applications that use http APIs, and applications loaded onto a computer via DVD, such as your friendly word processor or office application, plus mobile apps on iOS and Android. All of these clients can be affected, if they haven’t updated their OpenSSL.
- Open agents are clients an attacker can drive remotely; these agents are used by social networks, file sharing applications like Dropbox, and web spiders. Until yesterday, Pinterest was vulnerable, but its security team was “very responsive” and patched with us to polish the test tool,” Buda said.
To understand how open agents might work, consider Facebook and Twitter. Though neither is vulnerable, they both have user interfaces that easily illustrate how Heartbleed can exploit client vulnerabilities.
An open agent can trick you into typing a URL that’s malicious in some way. This threat may take time to uncover, Buda said, because people are only looking at the problem from the point of view of the secure Web server, and are not actively searching throughout their infrastructure for vulnerabilities.
Any software that runs OpenSSL—including servers and clients—can be problematic. It’s not built into any of the major Web browsers like Chrome or Firefox, but it is used in iPhone applications and back-end server applications. Reddit, for one, moved fast to patch its servers when Heartbleed first came to light, but it was still vulnerable to the bug.
“You need to look at every part of the system that can talk to the outside,” Buda said.
Since Meldium published its Reverse Heartbleed tool, people have been using it to help illuminate the sites that still need patching. Buda admits the user interface for the Reverse Heartbleed tool itself needs a little fixing, but in general, you “press the big blue button” and the tool will generate a URL with malicious code. If you copy and paste that URL into an agent (like a Facebook or Twitter status update), the tool will try to fetch the URL. You’ll know you’re safe if you receive an SSL connection error.
Servers are typically thought of as the defensive perimeter while the inside is considered safe, but Buda said you need to examine every part of your system that communicates with outside computers, servers, or systems.
When Buda heard about Heartbleed, he said Meldium tested its own servers.
“We were vulnerable to the normal attack and patched it right away,” he said. “It turned out that patch covered us.”
But in researching Heartbleed on Twitter, Buda saw a tweet that suggested the attack could theoretically be reversed. “I can’t claim credit for inventing this,” Buda said. “We wanted to be the first to have a working exploit,” though he built it with the hopes that the community would use it and help root out all the systems that need to be patched.
Routers, which are used in both public and private networks, including homes, can also be breached.
As many as 65 different Cisco products are known to be vulnerable to the Heartbleed bug, and others are still being evaluated. Many of the company’s most popular products, including Webex Messenger, Jabber client, Cisco IOS XR, Telepresence System 1100, Video Surveillance Media Server Software and Unified Operations Manager, were found to be susceptible to Heartbleed.
“Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server,” according to the Cisco alert.
Juniper Networks also alerted customers of products that are compromised, though you need an account to log in to get the information.
Virtualization Opens Many Doors To Heartbleed
VMware, for its part, lists more than 20 products that may be vulnerable to Heartbleed, including ESXi 5.5, vCloud Networking and Security, and the VMware Horizon View virtual desktop client for several operating systems, including Windows, Macintosh, iOS, and Android.
Citrix is still evaluating how its products are affected. Netscaler is safe, as are released versions of Citrix XenServer. However, some virtualization products are vulnerable, including Citrix XenMobile App Controller, and Citrix advises users of its Citrix Web Interface are advised to check whether deployed servers using Web Interface are vulnerable.
Other Citrix products, including GoToAssist, GoToMeeting, GoToTraining, GoToWebinar, OpenVoice, ShareFile, as well as our Citrix Labs products (GoToMeet.me, Convoi, Talkboard, Hu.tt) are not vulnerable,” Citrix writes.
Users of released versions of Citrix XenServer are safe;
As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.
“So many websites and applications are using this protocol, and until someone fixes it, the vulnerability is still open,” said Amtel CEO PJ Gupta. “Every company has to fix it, and once you fix the code, you need to change your passwords.”
But will fixing the code and changing one’s passwords be enough? Software developer Dave Winer thinks not.
“It’s hard to imagine something worse happening. And I think we’re late responding to it,” Winer wrote on his blog. “If this were a single system so compromised, the right technique would be to go offline and not come back until all the connection points were patched or verified to not need patching, it’s risky that we all keep using the net.”