Security advisory: critical OpenSSL bug ("heartbleed")

Posted on Tuesday, 8 April 2014

The following message has just been sent out to all technical or administrative contacts for entities registered with the UK Access Management Federation for Education and Research. Its purpose is to inform them of an EXTREMELY SEVERE security problem which will affect many UK federation members, and provide first steps towards mitigation.

We will follow up with additional information in the coming days as it becomes available.

If you are responsible for, or operate, an entity within the UK federation,YOU SHOULD ENSURE that the material below is reviewed by your technical staff as soon as possible, so that you can minimise the impact of this issue on your services.

Summary

On 2014-04-07, the OpenSSL project released a new security advisory for version 1.0.1 of the OpenSSL library. The advisory can be found here: 

 https://www.openssl.org/news/secadv_20140407.txt

You can read more about the issue here: 

 http://heartbleed.com/

Janet's advisory is here: 

 https://community.ja.net/blogs/csirt/article/heartbleed-openssl-vulnerability-cve-2014-0160

This extremely serious bug in the OpenSSL library affects any software using that library, whether as a client or a server. It allows an attacker to extract private information from the memory of the vulnerable system. This may include past traffic or other private information, and will often include the system's private keys.

This advisory will deal only with the compromise of a system's private keys. Depending on configuration, the keys compromised through this vulnerability may include the web server's SSL/TLS private keys, and the private keys of any SAML software you are running on the system.

Action

You should take immediate action to:

  • Determine whether you MAY be vulnerable to the issue. Given the severity of the issue, you should err on the side of caution and assume that you are vulnerable unless proven otherwise.
  • If vulnerable, immediately upgrade the version of the OpenSSL library used by your system to one which is not vulnerable.
  • Restart all affected services.
  • Once you are no longer vulnerable, mitigate the effects of any possible compromise by replacing affected private keys.

Am I Vulnerable?

You are vulnerable to an attack based on this bug if you run any software which is dependent on a version of the OpenSSL library from version 1.0.1 to 1.0.1f inclusive. This includes native code implementations of SAML software but also affects web server software such as Apache and nginx. Java-based software is in general not affected, but you may still be affected if such software is deployed behind a vulnerable web server.

In many cases, the OpenSSL library is provided as part of the operating system distribution. For example, current versions of most Enterprise Linux distributions are affected:

  • RHEL / CentOS 6.5
  • Debian Wheezy
  • Ubuntu 12.04 LTS

OpenSSL may also have been bundled with the web server or SAML software you use. For example, 2.5.x versions of the Shibboleth SP package for Windows are known to be affected.

In exceptional cases, you may have built a custom version of OpenSSL for your own use. This approach has been used on some Unix systems, such as those running Solaris.

To determine whether you are running a version of OpenSSL in the vulnerable range, one of the following commands may be of assistance, depending on your environment: 

 openssl version

 yum list openssl

 rpm -q openssl

 dpkg -l openssl

How Do I Get Patched?

If you are running an operating system which ships with OpenSSL, you should find that an update should be available now, or within the next few days. Updates are already available for RHEL 6.5, CentOS 6.5 and Debian operating systems.

If you are running software which bundled OpenSSL, you should contact the vendor for an update. A new version of the Shibboleth SP software for Windows is expected later this week.

If you built a custom version of OpenSSL for your own use, you should download the latest sources and rebuild OpenSSL and your application.

What Next?

Although this bug was announced without notice to the general public, it is relatively simple to exploit and you should assume that your systems are already under attack if they are vulnerable. It is important to perform the steps described above as soon as possible so as to limit the potential damage to your systems and services.

We will provide more information in the coming days describing remedial action to take if your system has been vulnerable, so that you can safely replace compromised private keys where appropriate.

Please contact the UK federation helpdesk (service at ukfederation.org.uk) if you have any additional questions about this advisory, or if you need help in determining whether your systems are vulnerable.

-- Ian Young, UK federation

Update

We have an update to this announcement at the URL below: 

 http://www.ukfederation.org.uk/content/News/2014-04-11-HBUpdate

Edited by SteveGlover on 17 April 2014, at 02:33 PM