FAQ on Heartbleed Security Vulnerability

A serious OpenSSL security flaw/vulnerability nicknamed “Heartbleed” has received a significant amount of attention since it was disclosed a few days ago.

In this post, I am going to share my findings about important facts on what Heartbleed and what it affects and does not affect.

What is SSL?

Let’s start with SSL.  It stands for Secure Sockets Layer, but it’s also known by its new name, TLS (Transport Layer Security).  SSL/TLS is a mean to encrypt communication on the web. SSL/TLS provides security connections and is best known as the security layer behind HTTPS websites.

What is OpenSSL?

OpenSSL is an open source library (a collection of programming code) for SSL implementation. So, for example if a programmer were writing a program and needed to add TLS security, he can use the OpenSSL library to add that ability to his app.

What is Heartbleed and Why is it called Heartbleed Bug?

heartbleed

The Heartbleed bug is in the implementation of the TLS heartbeat extension of OpenSSL.  So, Heartbleed is a name play on heartbeat because the bug bleeds out information from the server to the client and vice versa.

 

Important Facts about Heartbleed:

  • Heartbleed is NOT a flaw with SSL/TLS protocol specification, meaning SSL/TLS is not broken.
  • It is an implementation problem, i.e. a programming mistake that was introduced in OpenSSL version 1.0.1, which was released on March 14th, 2012 (but the bug was not discovered until recently).  The bug remained present through version 1.0.1f (inclusive) and it is fixed in 1.0.1g which was released this week, April 7, 2014.
  • When the bug is exploited it leads to the leak of memory contents from the server to the client and vice versa.

What does Heartbleed Affect?

The only apps/services that are affected are those that use a vulnerable version of OpenSSL, and have TLS heartbeat support. Other TLS libraries, such as SChannel is not affected by this bug.

Thus, if you have been wondering whether Heartbleed affects Microsoft’s Operating Systems, specifically Windows and IIS?  The answer is No because Microsoft does NOT use OpenSSL.  Microsoft Windows, Microsoft Account, and Microsoft Azure all use SChannel which is NOT susceptible to the Heartbleed vulnerability.

Here is the link to Microsoft Technet’s blog post by Ben Ari explaining that Microsoft’s Windows Operating system is not affected by Heartbleed, http://www.myurls.me/IIS-Heartbleed

So, does it mean that you are not affected by Heartbleed at all?  Not necessarily because software that you implement on your Windows might be vulnerable.  In addition, if you or your users use third party web services somewhere on the internet and those service providers use vulnerable versions of OpenSSL then it is very likely that you or your users are affected.

Here are a short list of major vendors that you might want to know whether they are affected by Heartbleed or not:

Apple: Not susceptible.  Like Microsoft, Apple uses a different SSL/TLS library called SecureTransport, which was hit by it’s own serious bug in February, but not affected by Heartbleed.  For more info read this article Apple iOS OSX are not affected by Heartbleed

Cisco: Cisco issues an advisory on Wednesday, April 9, 2014, stating a long list of products that are either confirmed vulnerable or under investigation for the vulnerability.

As of today, here are Cisco products that are confirmed to be vulnerable:

  • Cisco AnyConnect Secure Mobility Client for iOS
  • Cisco Desktop Collaboration Experience DX650
  • Cisco Unified 7800 series IP Phones
  • Cisco Unified 8961 IP Phone
  • Cisco Unified 9951 IP Phone
  • Cisco Unified 9971 IP Phone
  • Cisco IOS XE
  • Cisco Unified Communications Manager (UCM) 10.0
  • Cisco Universal Small Cell 5000 Series running V3.4.2.x software
  • Cisco Universal Small Cell 7000 Series running V3.4.2.x software
  • Small Cell factory recovery root filesystem V2.99.4 or later
  • Cisco MS200X Ethernet Access Switch
  • Cisco Mobility Service Engine (MSE)
  • Cisco TelePresence Video Communication Server (VCS)
  • Cisco TelePresence Conductor
  • Cisco TelePresence Supervisor MSE 8050
  • Cisco TelePresence Server 8710, 7010
  • Cisco TelePresence Server on Multiparty Media 310, 320
  • Cisco TelePresence Server on Virtual Machine
  • Cisco TelePresence ISDN Gateway 8321 and 3201 Series
  • Cisco TelePresence Serial Gateway Series
  • Cisco TelePresence IP Gateway Series
  • Cisco WebEx Meetings Server versions 2.x
  • Cisco Security Manager
  • FireAMP Private Cloud virtual appliance

Please click here to read the article on Cisco products that might be affected by Heartbleed

StorageCraft: Only StorageCraft ShadowControl appliance is affected.  Automatic security update is applied when appliance is rebooted.  To activate this automatic security update simply restart your ShadowControl appliance.  Please click here to read more about how storagecraft affected by Heartbleed.

Next time, I am going to write about how you can protect yourself and recover from Heartbleed.

You can learn more about the Heartbleed vulnerability here:

http://www.myurls.me/heartbleed

Heartbleed Bug: What you need to know FAQ

The Heartbleed situation is ongoing and I’ll update this post or write a new post as I compile new information.  Check back for new information.

Speak Your Mind

*