A new SERIOUS bug in OpenSSL cryptographic software library came to light this week. The bug is called the Heartbleed bug. The CVE (Common Vulnerabilities and Exposures) number for it is CVE-2014-0160. The vulnerability has actually existed for a couple of years; unfortunately, information about it is just now being released.
This vulnerability allows an attacker to break the SSL/TLS encryption used to protect user/system privacy over the internet for applications such as web, email, instant messaging, and virtual private networks (VPN’s). The Heartbleed bug will allow an attacker to read the vulnerable systems memory that is usually protected by OpenSSL software. This exposes the secret keys used to identify the service provider and the vulnerable systems encrypted traffic; which could include names, passwords, personal information, HIPAA information, student information, financial information, as well as anything that a user or system has transmitted over the encrypted stream.
This is a very serious bug and systems must be patched and SSL/TLS certificates revoked and re-issued after the patch has been applied!
How can we stop the Heartbleed bug?
A new patched version of OpenSSL has been released. Most system venders, appliance venders and software venders have patched there software with updated software or are doing so now. Please check for systems updates. If you have a systems or software that uses a version of OpenSSL that is vulnerable to the Heartbleed bug. You MUST patch the system as soon as possible. After the system or software has been patched and the vulnerability has been removed. You MUST revoke your keys and install new certificates for new keys. This is a FREE self-service at UK and can be done by following the directions at: https://www.uky.edu/ukit/security/certs
If you would like UKAT security team to scan your systems to see if the patch works or to see if you have vulnerable systems you can email us here: firstname.lastname@example.org .
All merchants that have PCI-DSS systems that are vulnerable are responsible for ensuring they apply and fixing any vulnerable systems.
What versions of the OpenSSL are affected?
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
What can I do to protect myself?
Since the internet and SSL encryption on the internet is so ubiquitous, it will be hard if not impossible for a user to tell if a system has been patched or not and is still vulnerable to the Heartbleed bug. Most of the major companies such as Microsoft, Dell, Cisco, Google, and others have already patched or are in the process of patching there systems. It is highly recommended that you change all of your passwords. It might be a good idea to change them again in a months’ time when more systems will be patched. Check your Cloud systems. They also may be affected. Don’t forget your home systems such as routers, and home storage devices, etc... Make sure you patch them as well.
What is UKAT and UKAT Security team doing about the Heartbleed bug?
Currently UKAT and the UKAT security team are:
- Scanning UK’s systems for the Heartbleed vulnerability
- Patching UKAT enterprise systems
- Alerting users of vulnerable systems
- Re-issuing SSL certificates
- Communication with venders to ensure patches are published for UK systems
- Helping users with Heartbleed support issues
Other places for information:
If you have question please feel free to contact the UKAT security team at email@example.com.