As you may already know, last night a vulnerability affecting OpenSSL was reported and it most likely affects your organization. The "Heartbleed" SSL vulnerability affects widely deployed versions of the OpenSSL library, which is used in the majority of software, including web-, email-, database- and chat-servers.
How does it work?
This vulnerability allows an attacker to read a portion of memory from the remote system without the need for any known credentials or other authentication forms. The leaked memory areas might contain a lot of different contents ranging from leftover data from previous communication over log messages, up to private key material employed by the service / daemon. For this reason, there are lots of possible attack scenarios that can result from the vulnerability. An attacker who gains access to the private key of the server certificate can subsequently mount man-in-the-middle attacks against clients and impersonate the server/service.
We're also seeing some reports of leaked details like account names and passwords from Yahoo!
Who is affected?
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected (including1.0.1f and 1.0.2-beta1); however, our initial scans of public facing services indicate that there are hundreds of thousands of servers using affected library versions connected to the internet. As this problem also affects other protocols and services – such as mail servers and databases – we assume that overall we're looking at millions of vulnerable systems connected to the public Internet.
To get more specific, the data from Rapid7 Labs' Project Sonar shows the following OpenSSL data from the current 'HTTP only' dataset:
How do you protect yourself?
We strongly recommend you update any affected systems immediately. You can download the patched update here: https://www.openssl.org/source/.
In addition, to mitigate attacks resulting from any potentially leaked keying material, any SSL keys from affected systems should be replaced. This means getting a new key from your certificate authority, generating new certificates, and revoking the old ones. Depending on the service/ protocol, you may need to take additional measures to protect data that may potentially be leaked.
We can't stress these steps enough. There are no indicators of compromise for this attack; there is no way to know if your private key was taken. Organizations need to deploy new certificates from new keys, and revoke the old.
Users of affected services are also at risk and we highly recommend you change your passwords. The challenge is that you need to change your password AFTER the affected service has taken the necessary steps to mitigate the risk on their side. It doesn't hurt to change it immediately, and then change it again after the services are updated, but remember: do NOT reuse passwords! We're hopeful that larger service providers will all be patched within the next 24-48 hours, and you should definitely change your password once that happens.
In the meantime, it's best not to login to any accounts if you are unsure whether the provider is still vulnerable. The bug affects memory content on the server side, so if my credentials are not present there because I have not used the account, there is little to no chance of compromise.
How can we help?
We also have an exploit available in Metasploit so you can test your defenses and the impact of exploiting this vulnerability in your environment. The open source version of Metasploit is not affected by the vulnerability and can be downloaded for free.
For more information on Heartbleed, please visit: http://heartbleed.com
Other Heartbleed resources:
We have a number of free tools, FAQs, videos and other content to help you understand and mitigate your risk around Heartbleed. See the full list at: OpenSSL Heartbleed Vulnerability CVE-2014-0160: Protecting Your Organization