Blue Coat Labs

Labs Blog

Widespread "Heartbleed" Bug Affects SSL Servers

Share this: 

Widespread "Heartbleed" Bug Affects SSL Servers

Andrew Brandt

Unless you've been under a rock for the past day, you've probably already heard the news about the so-called "Heartbleed" bug affecting SSL servers.

The gist of the bug is that, using specialized techniques, it's possible for an attacker on the Internet to obtain secret information from Web servers that use various versions of the open-source OpenSSL library to handle their secured HTTPS traffic. That secret information could include the secret keys being used by the site itself to identify itself to a visitor's browser. If that information were leaked and retrieved, it's reasonable to assume the attacker would be able to impersonate a legitimate Web site with otherwise impeccable credentials.

But it's more than just that. "If the attacker manages to randomly grab the key material, it can then be use to decrypt any captured sessions (with most non-DH versions of SSL/TLS)," says Blue Coat CTO Joe Levy. "Also, repeatedly attacking a vulnerable site will almost certainly reveal sensitive data, like usernames/passwords out of live sessions/traffic running through the box." We've confirmed this to be the case using the publicly-available proof-of-concept tools.

The vulnerability is widespread because OpenSSL is used in literally thousands of software and hardware products. The silver lining to this grim-looking cloud is that the vulnerability leaks arbitrary, and kind of random, data that happens to be in the Web server's memory buffer at the time. Sometimes (maybe often) an attack will yield junk, but other times it will deliver up the keys to the kingdom. The attacker can simply hit the site again and again, retrieving 64kb-sized chunks of memory, until he or she gets whatever they want.

While a patch is currently available, it will take time for the creators of those products which use the OpenSSL library to update their software and release finished versions of their products not vulnerable to the bug. To quote the authors of the Tor Project's blog, "If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle." (Emphasis mine)

For the rest of us, this makes today the most epic Patch Tuesday ever (even though it doesn't affect Microsoft Windows directly). It marks the beginning of a period of time where we know, until the fix is in, our credentials could be stolen or leaked, and whole Web sites impersonated by criminals or others, with no way to detect the abuse of the bug (at the moment). There's an easy to use testing tool available if you want to check the security of your favorite Web sites, but there's really not a lot the average non-sysadmin can do right now, other than prepare to change all your passwords to every site you use in the next few days, clear those cookies, and be prepared for an increase in the general nuisance-level of the Internet.

If you have any kind of networked devices in your home, and those devices (like home routers, network-attached storage, or media players) use HTTPS for their management pages, it might be prudent to check with the Web sites of the devices' manufacturers for firmware updates. If you run content management systems like Wordpress or Joomla, or any of hundreds of Web-based software packages, check with the companies or organizations that publish those packages for updates and apply them as soon as possible.

This is a very serious bug with long-term consequences affecting a truly extraordinary number and variety of Internet-connected things, including many very high-traffic Web sites. While the sites will eventually be cleaned up, some of the vulnerable embedded systems (like home routers) may never be patched; As a result, some percentage of vulnerable devices  will continue to be vulnerable in perpetuity. We'll continue to monitor the situation and will alert you to updates as we find out about them.