TR-21 - OpenSSL Heartbeat Critical Vulnerability

Overview

OpenSSL software is vulnerable to memory leakage to the connected client or server. In other words, anyone can remotely retrieve sensitive information (e.g. secret keys, passwords, confidential document) from the memory of the remote servers without leaving traces. This is a critical vulnerability and you must patch your OpenSSL software as soon as possible.

OpenSSL version 1.0.1 and 1.0.2-beta releases are affected by this vulnerability including 1.0.1f and 1.0.2-beta1. Prior version are not vulnerable to this vulnerability.

After patching, all sensitive information need to be evaluated especially private keys or credentials. We recommend, at least, to regenerate the X.509 key materials and do an impact assessment on the potentially leaked information.

Recommendations

You should apply the OpenSSL updates provided by the software distributors:

• Ubuntu USN-2165-1: OpenSSL vulnerabilities
• Ubuntu CVE-2014-0160 detailed information per release
• Debian DSA-2896-1 openssl – security update
• Red Hat RHSA-2014:0376-1 Red Hat Enterprise Linux 6
• Red Hat RHSA-2014:0377-1 Red Hat Storage Native Client for Red Hat Enterprise Linux
• CentOS 6 CVE-2014-0160 CentOS 6 openssl heartbleed workaround
• Gentoo glsa-201404-07 OpenSSL: Information Disclosure
• Novell/Suse SUSE Linux Enterprise Server 11 and older versions with openssl 0.9.8 are not affected. Only openSUSE 12.3 and 13.1 are shipping affected versions currently.
• openSUSE 12.3 and 13.1, which include openssl 1.0.1e.
• Tor components affected by OpenSSL bug CVE-2014-0160
• mod_spdy binary bugfix release (v0.9.4.2)
• stunnel OpenSSL DLLs updated to version 1.0.1g. This version mitigates TLS heartbeat read overrun (CVE-2014-0160)
• Fedora 19 Update: openssl-1.0.1e-37.fc19.1
• Fedora 20 Update: openssl-1.0.1e-37.fc20.1
• FreeBSD-SA-14:06.openssl OpenSSL multiple vulnerabilities
• OpenBSD 5.5 errata 2, Apr 8, 2014
• OpenBSD 5.4 errata 7, Apr 8, 2014
• OpenBSD 5.3 errata 14, Apr 8, 2014
• FreeRADIUS version 2 and Version 3 of FreeRADIUS are vulnerable to the attack
• OpenVPN Access Server 1.8.4 –> 2.0.5
• Cisco Security Advisory - OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products
• Juniper Security Advisory - Out of Cycle Security Bulletin: Multiple products affected by OpenSSL “Heartbleed” issue
• Zimbra ZCS 8.0.7 has been rebuilt to include fix for OpenSSL Heartbleed Vulnerability
• EMC RSA Products: Heartbleed OpenSSL
• Fortinet/Fortiguard products affected by Heartbleed
• pfSense 2.1.2 vulnerability fixed
• VMware product updates address OpenSSL security vulnerabilities
• Oracle OpenSSL Security Bug - Heartbleed CVE-2014-0160
• McAfee Security Bulletin – OpenSSL Heartbleed vulnerability patched in McAfee products
• Sophos - Advisory: Critical vulnerability found in OpenSSL affecting Sophos products
• Polycom - Security Advisory Relating to OpenSSL Vulnerability “Heartbleed” on Various Polycom Products
• Kerio Connect / Control / Operator - OpenSSL vulnerability CVE-2014-0160 (Heartbleed)
• Synology Product Security Advisory
• RealVNC Heartbleed statement
• Asterisk, Heartbleed, and You
• WatchGuard 11.8.3 Update 1 now available to fix Heartbleed vulnerabilty in Fireware XTM OS
• Situational Awareness Alert for OpenSSL Vulnerability (Update C) from ICS-CERT

It’s important to note that some distributions use their own version numbering scheme for the OpenSSL package. If the distribution backports functionalities from OpenSSL into older versions, you might be vulnerable too.

You may not have realized that Canonical changed its policy regarding the support length of non-LTS releases. The first release concerned by the new policy is Ubunty 13.04 (Raring Ringtail) and do not receive any support since 2014-01-27, which means that all the running instances you might have are vulnerable to Heartbeat and will not be patched.

The procedure to update Ubuntu 13.04 by recompiling OpenSSL is the following:

apt-get build-dep openssl
apt-get source openssl
cd openssl-1.0.1c/
vi Configure
add -DOPENSSL_NO_HEARTBEATS to $debian_cflags (line 109)
dpkg-buildpackage -uc -b
cd ..
Look at the installed openssl packages:
dpkg -l | grep -w 'libssl\|openssl'
Install the required packages with dpkg:
dpkg -i *.deb

If you cannot upgrade your OpenSSL directly, you can recompile your OpenSSL with the DOPENSSL_NO_HEARTBEATS option to disable the feature having the vulnerability. Don’t forget to restart your services and ensure that the adequate libraries are loaded.

All the services you will see by running this command are still using the old and vulnerable library and have to be restarted:

lsof -n | grep DEL | grep libssl

To verify which running processes/binaries use OpenSSL, you can do the following:

lsof | grep libssl

How to test your TLS/SSL server?

A checker tool and a web site is available to test if a TLS server is vulnerable.

Metasploit framework provides a module that implements the OpenSSL Heartbleed issue.

If you have an access to your system, you can run the following OpenSSL command to get its version:

$ openssl 
OpenSSL> version
OpenSSL 1.0.1 14 Mar 2012
OpenSSL>

Detecting OpenSSL Heartbleed with NIDS

• Detecting OpenSSL Heartbleed with Suricata
• Indicator of Compromise to detect successful exploitation with Snort

Are the services like SMTP, XMPP, IMAP, SSL VPN using TLS affected?

If the service is using TLS/SSL and relies on vulnerable OpenSSL with the heartbeat extension, the service is probably vulnerable to data leakage. You should contact your software vendor as soon as possible to get a fix. Don’t forget to renew credentials and cryptographic key materials that might have leaked in that context. The vulnerability is not limited to HTTP over TLS but applicable to all protocols relying on TLS. Don’t forget that other protocols than TCP like UDP or encapsulated TLS over custom protocols are also vulnerable.

Are OpenSSL clients vulnerable too?

OpenSSL clients are also vulnerable. So a malicious server could abuse a vulnerable OpenSSL client to trigger the vulnerability and dump the memory of the client. There is a tool to abuse OpenSSL clients available showing the practicality of the exploitation.

If you use OpenSSL as a client (usually bundled/used by many tools like curl, wget on Unix and Windows), you have to patch your client software as well.

What are the unaffected software or protocols by CVE-2014-0160?

• OpenSSH and SSH is not vulnerable to CVE-2014-0160. OpenSSH relies on some cryptographic functions from OpenSSL but not the TLS part. The SSH protocol contains its own keepalive protocol and doesn’t rely on TLS.

References

• CVE-2014-0160 The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeart Extension packets
• The Heartbleed Bug
• OpenSSL Security Advisory - TLS heartbeat read overrun (CVE-2014-0160)
• Diagnosis of the OpenSSL Heartbleed Bug

Contact

If you have any question about this vulnerability, feel free to contact us.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

• Version 1.7 April 18, 2014 ICS-CERT advisory for ICS system (TLP:WHITE)
• Version 1.6 April 18, 2014 Additional vulnerable software (TLP:WHITE)
• Version 1.5 April 14, 2014 Additional vulnerable software (TLP:WHITE)
• Version 1.4 April 13, 2014 Additional vulnerable software added + protocol notes (TLP:WHITE)
• Version 1.3 April 10, 2014 Client side vulnerability added (TLP:WHITE)
• Version 1.2 April 9, 2014 Information about additional vulnerable software added (TLP:WHITE)
• Version 1.1 April 8, 2014 Initial version (TLP:WHITE)