The UK computer emergency readiness team (CERT) has issued its first major advisory since it officially opened regarding the OpenSSL vulnerability.
In the advisory, CERT-UK said that it was aware of reports of the vulnerability, which is also known as the Heartbleed bug which affects versions 1.0.1-1.0.1f of the OpenSSL cryptographic library.
It said: “This potentially permits the stealing of information normally protected by SSL/TLS encryption, and could affect applications used for web hosting, email, instant messaging and virtual private networks. This could include sensitive information such as secret keys, user credentials and traffic content. The vulnerability may have existed since as early as December 2011.
“Organisations running vulnerable versions of OpenSSL libraries should upgrade to 1.0.1g as soon as possible.”
The bug allows anyone to read the memory of the systems protected by the vulnerable versions of the OpenSSL software as it compromises keys used to identify the service providers and to encrypt traffic, names and passwords of the users and the actual content. “This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users”, an advisory website said.
A warning was also issued to certificate authorities to check how compromised keys can be revoked and new certificate reissued for the new keys. It also warned that open source web servers running Apache and nginx were vulnerable, as well as email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software.
The advisory said it was unsure how widespread this exploit was, as it has been in the wild since March. TK Keanini, CTO of Lancope, told IT Security Guru that this was one of the most major vulnerabilities to be reported this year, and warned that it will be around for some time as everyone who is vulnerable will need to remediate.
“Most, if not all of the major websites are aware and have fixed this problem – that is not the major concern. The major concern is everyone else who is affected by this bug as it does not just apply to websites and most have no idea they are at risk,” he said.
“It is not easy for most people to know what version they are running and if this is built into a router or embedded device, chances are very slim that they will ever know. The attacker will also leave no logs when they perform their attack because it is in the part of the code where no logging takes place of the activity.”
Mark Schloesser, security researcher at Rapid7, said: “An attacker who gains access to the private key of the server certificate can subsequently mount man-in-the-middle attacks against clients and impersonate the server/service. Log messages might also contain credentials or affect the privacy of communications by other clients.
“Looking only at web servers, it seems that OpenSSL 0.9.8 and 1.0.0 are still the most popular versions, which are not affected. However we count at least a few hundred thousand servers using affected library versions so that it poses a significant threat. As the same problem affects other protocols / services such as mail servers and databases, we assume that overall we’re looking at millions of vulnerable systems connected to the public internet.”
