Version 1.0 – Friday April 11, 2014
This document will be updated and maintained as new or updated information becomes available. Continue to check this page for updates.
What is Heartbleed?
The Heartbleed bug is a vulnerability discovered in the TLS heartbeat mechanism built into certain versions of the popular OpenSSL library. OpenSSL is one of the technologies employed by many sites online to create an encrypted communication session between a user and a website.
Has something like this happened before?
Yes, attacks on TLS and OpenSSL have happened in the past. In 2011, the BEAST (Browser Exploit Against SSL/TLS) exploit was created which took advantage of a weakness found in TLS version 1.0 first discovered in 2002 in order to stealthily steal authentication tokens and decrypt the communication between a web server and a browser. What’s unique about Heartbleed is that there was not a requirement to intercept communications between a user and a server.
Who is affected?
If you use the Internet, it is all but guaranteed that you have been impacted in some fashion by the Heartbleed bug. While reports have stated various numbers of sites potentially exposed to Heartbleed – as many as two-thirds of all sites on the Internet using SSL/TLS – we can safely say that no corner of the Internet is untouched by this bug. From the websites you use on a daily basis to devices like IP phones and routers, millions of devices and sites rely on OpenSSL to provide secure communications. In fact, Heartbleed potentially impacts many users and devices other than servers. Researchers have demonstrated “reverse” Heartbleed POCs that provides the potential for a malicious server to attack a client instead of a client attacking a server.
How does it work?
The flaw in OpenSSL was introduced in OpenSSL version 1.0.1 and has persisted through subsequent versions up to version 1.0.1f. The flaw exists in a call to memcpy() that failed to do a bounds check. An attacker can force OpenSSL to send back the contents of server memory, in 64KB chunks. Inside those 64KB chunks of server memory can be confidential information such as usernames, passwords, the secret keys used to encrypt data, credit card numbers, or other information that would normally be encrypted and unviewable. In other words, a vulnerable server can be exploited to reveal sensitive information that it shouldn’t. This can lead to identity theft or other types of cybercrime.
Should I be worried?
Yes. If you are an Internet user, there is a chance that an attacker was able to grab a chunk of server memory that contained some of your personal information, including your username and password. Further, while this bug was only discovered a few days ago, the bug itself has existed for over two years – there is no way to know if someone discovered the bug on their own and quietly exploited it to collect a vast wealth of sensitive and confidential information.
What can I do? How can I check my exposure?
If you are an Internet user:
While at first thought you may think the best course of action is to log in to every site you use online and change every password you have, that may expose you to unnecessary risk: if you log in to a site you rarely use and change your password, and that site has yet to implement a fix, you’re no better off than you were yesterday. In fact, now that the bug is in the wild and people with not-so-ethical intentions are likely silently retrieving server memory, the chance that your new username and password might be stolen is probably higher than it was before.
There are many sites that have been created to help you determine if it is safe to change your password.
· Mashable has created a list of commonly used and popular websites that you can check to see if they are exposed to Heartbleed or have fixed the issue.
· For less-popular sites, sites like LastPass and Fliippio.io are available for you to check their current status.
· Reverse Heartbleed (https://reverseheartbleed.com/) can be used to check clients for potential Heartbleed issues.
If the sites above say that the sites you checked are fixed, go ahead and change your password. If they aren’t fixed yet: hang tight, don’t panic. Many companies and sites should have processes and in place to deploy updates to code that runs their infrastructure; thorough and complete testing must be done to ensure the fix itself doesn’t break or affect anything else. They should also have in place security solutions such as IPS to mitigate any attempts by an attacker to exploit Heartbleed before a complete fix can be deployed. If you can avoid using those sites until they are fixed, you should do so.
Finally: don’t reuse any old passwords. Create new, never-used passwords and don’t use them in multiple places. You cannot be sure that any of your old passwords remain secure. This might be a good time to switch to a password manager program that can generate random secure passwords. There are many free versions of these programs out there, and many work on both your computer and mobile devices. You may also want to consider moving to two-factor authentication; the additional security protection offered may help protect you in the future. Fortinet has published a white paper discussing how two-factor authentication works and how you can use it to stay safe online. While two-factor authentication in of itself may not protect you against Heartbleed, it is one of a number of strategies you can employ to better protect you and your personal information online.
If you are a company:
On the server side of the equation, there are multiple things you should do as a best course of action to provide the highest level of security to your employees, users and customers:
- Ensure you have appropriate IPS signatures deployed to monitor and mitigate any potential attacks on your infrastructure. Fortinet issued a Hot Update to our customers with IPS signatures to detect and prevent Heartbleed attacks. In situations such as this, our threat research teams are able to respond to urgent or immediate security incidents promptly to protect our customers (and our customers’ customers) from exploitation.
- Determine the extent of the bug in your systems: how many systems are you using that use OpenSSL? How many of those are using OpenSSL 1.0.1 through 1.0.1f?
- Deploy the patch as soon as possible to all systems affected.
- If it is determined that your systems were impacted by Heartbleed, you may want to consider revoking all of your certificates/keypairs used, and have your Certificate Authority issue replacements. For many companies, this is a massive task – but a very necessary one: due to the silent nature of the attack, you must assume that your secret keys have been compromised and are no longer secret.
- Force all users to reset their passwords upon next login.
- For cases where you are working with customers who use your web assets, send an email to them outlining your current fix status and directing them to your site to change their passwords. Remember though: use best security practices when crafting your email – don’t send a password reset link through email. Phishers and malware authors will undoubtedly use this opportunity to trick unsuspecting users to visit copycat sites in the hopes of obtaining credentials or installing malware.
- Have your PR team make a public statement, both on your site and through your social media channels – reassure your users that you have fixed the issue and it is safe to use your services again. It is much better to address your response to Heartbleed than it would be to remain quiet and have your users question your response.
- Finally, you should do an internal post-mortem analysis of all systems affected and the information handled by those systems in order to determine the type of information that was exposed and possibly leaked. Your risk assessment teams should react accordingly.
What about Fortinet? How did Fortinet respond?
· FortiGuard’s PSIRT (Product Security and Incident Response Team) became aware of the issue late in the day on Monday April 7th when the bug was publicly disclosed. Our team developed an in-house POC within hours of learning of Heartbleed to verify the bug and begin to determine the extent of our exposure in our products.
· PSIRT issued a security advisory – FG-IR-14-011 on Tuesday with initial information and our industry-leading security research team concurrently created initial IPS signatures to assist customers in determining if attackers attempting to exploit Heartbleed were targeting their systems.
· Patch development began in the morning of Tuesday April 8, and our QA teams began extensively testing the updates.
· Fortinet released OpenSSL.TLS.Heartbeat.Information.Disclosure via Hot Update 4.476 on the morning of April 9th, less than 36 hours after the bug was publicly disclosed.
· Patches to correct the Heartbleed bug started to deploy to our customers on the afternoon of Wednesday April 9th – again,less than 36 hours after we discovered the bug.
· Many of our products were not affected by Heartbleed and a patch is not required. The product security advisory lists our affected products.
FortiGuard Labs as of this writing have not detected any active breaches due to this exploit but our global team of threat researchers are continually monitoring the threat landscape for any activity. Any further information will be published here when discovered.