MESSAGE
| DATE | 2014-04-09 |
| FROM | Ruben Safir
|
| SUBJECT | Subject: [NYLXS - HANGOUT] openssl patches
|
http://www.eweek.com/security/heartbeat-ssl-flaw-puts-linux-distros-at-risk.html/
Home
Security / Heartbeat SSL Flaw Puts
Linux Distros at Risk
right
Heartbeat SSL Flaw Puts Linux Distros at Risk
By Sean Michael Kerner
| Posted 2014-04-08
Email this article Email
Print this article Print
Linux server security
NEWS ANALYSIS: Hours after the flaw's disclosure, many Linux
distributions didn't have a patch. Now that a fix is out, OpenSSL
users should make sure to update their servers.
The Secure Sockets Layer (SSL
) is at the foundation of all
Web based communications, and when security flaws are found, immediate
fixes are required. On April 7, the open-source OpenSSL project issued
an advisory regarding a
critical vulnerability that could potentially leave millions of users at
risk. The flaw?identified as CVE-2014-0160
and
called "TLS heartbeat read overrun"?has been present in OpenSSL since
March 2012, but it was just recently discovered. However, the flaw has
been unofficially dubbed "Heartbleed" by security research firm
Codenomicon, which is the name that has caught on in most subsequent
media reports. "A missing bounds check in the handling of the TLS
[Transport Layer Security] heartbeat extension can be used to reveal up
to 64k of memory to a connected client or server," the OpenSSL advisory
warns.
5 Technology Trends you Need to Follow
Download Now
OpenSSL is an open-source SSL library that is widely used in conjunction
with Web servers and Linux distributions. The flaw was first reported by
Neel Mehta of Google's security team, and the OpenSSL project has issued
a fix with the new OpenSSL 1.0.1g update.
Researchers with security firm Codenomicon also claim to have discovered
the flaw. In a Web page FAQ list on the
Heartbeat flaw, Codenomicon explains that the CVE-2014-0160 bug is in
the OpenSSL's implementation of the TLS/DTLS, or Transport Layer
Security/Datagram Transport Layer Security, heartbeat extension (RFC6520
). "When it is exploited, it leads
to the leak of memory contents from the server to the client and from
the client to the server," Codenomicon states. What that means is that
sessions that were encrypted could be decrypted, thanks to a memory
leak. Going a step further, given that most Web servers use a
single-server key to encrypt SSL, all communications with a vulnerable
server could potentially be at risk. Aside from updating to the new
version of OpenSSL, Web server administrators should also consider
implementing Perfect Forward Secrecy (PFS). PFS is a technique that
creates a new unique session key for each encrypted session that would
limit the risk of retrospective decryption. (A recent eSeminars Live
event offers
insight on PFS). The other big issue with the Heartbeat flaw is how the
bug was actually disclosed. Yes, the OpenSSL project only released its
advisory after it had a fix, which is a good idea; however OpenSSL use
is much wider than just the OpenSSL project. Each individual Linux
distribution has its own packaged version of OpenSSL that needs to be
updated, as well. I contacted Red Hat late in the afternoon on April 7,
and at the time, they were aware of the issue but did not yet have a
patch available for users. At 11 p.m., I received an email from Red
Hat's Fedora project notifying me that new OpenSSL packages were
available to fix the flaw. Red Hat Enterprise Linux users got access to
the patch early on
April 8. While Red Hat and other Linux vendors did not have patches
immediately available when the OpenSSL advisory was released, cloud
security vendor CloudFlare did. In a blog post
,
CloudFlare claims to have fixed the CVE-2014-0160 flaw before it became
public. "As one of the largest deployments of OpenSSL on the Internet
today, CloudFlare has a responsibility to be vigilant about fixing these
types of bugs before they go public and attackers start exploiting them
and putting our customers at risk," CloudFlare blogged. It is unclear
how CloudFlare was able to get access to the flaw information before a
big Linux vendor like Red Hat. A proper responsible bug disclosure
process should have included all stakeholders so that all affected
parties could issue a fix at the same time. With the CVE-2014-0160 flaw,
there was a small window of exposure from the time the OpenSSL project
issued its advisory and CloudFlare blogged on the issue, until Linux
projects had patches available for users. That's just not right and
could have put millions of people at unnecessary risk. In any event, it
is incumbent on all OpenSSL users to immediately make sure that they are
not at risk today and have updated their servers. /Sean Michael Kerner
is a senior editor at /eWEEK/and /InternetNews.com./Follow him on
Twitter -at-TechJournalist/. /Editor's Note: This story has been updated to
include the "Heartbleed" unofficial name for the "TLS heartbeat read
overrun" flaw reported by the OpenSSL Project./
|
|
