Tags:

Defending your site against the Heartbleed vulnerability

By Unknown Wednesday, April 9, 2014
Black Lotus delivers award winning DDoS protection ranging from full network defense to website and server protection, 24/7/365. Learn more by visiting http://www.blacklotus.net or call (866) 477-5554.
Earlier this week US-CERT released details of a vulnerability (CVE-2014-0160), which exists in OpenSSL, a software package used by many web servers such as Apache and nginx to provide encryption for HTTPS connections. OpenSSL versions in the 1.0.1 series prior to 1.0.1g with the RFC6520 TLS heartbeat extension enabled are susceptible, accounting for an estimated 500,000 servers worldwide. To mitigate this threat server administrators must upgrade to OpenSSL 1.0.1g or recompile existing 1.0.1 implementations with the -DOPENSSL_NO_HEARTBEATS flag.

By exploiting this vulnerability an intruder is able to view up to 64kb of data in memory, potentially revealing the site's SSL private key and other confidential information such as login names and passwords. This vulnerability is particularly dangerous as it has existed for the past 2 years and it is almost certain that those with nefarious intentions have been exploiting the vulnerability for quite some time. This means that all login names, passwords, and SSL keys on affected systems must be considered compromised.

A hacker with a stolen SSL key is particularly dangerous. This makes it possible for the hacker to poison DNS cache and create a seemingly perfect clone of the site for which the SSL key was created. Visitors will believe that they are visiting the real site and will see the SSL padlock as expected with zero indication that the visitor has been redirected to a malicious copy of the site, almost certainly resulting in theft of the visitors private information such as login credentials, identifying information, financial data, and so forth.

Black Lotus recommends that system administrators take the following course of action:

- Ensure that web servers are not running a vulnerable OpenSSL implementation.
- In the event that the server was ever running a vulnerable OpenSSL implementation, contact the SSL certificate authority for any keys which may have been compromised and request revocation of the certificate. A new SSL certificate based on a new CSR will be required.
- To be certain, test your site using this tool.- Regardless of the outcome of the aforementioned test, change all passwords, continue to do so frequently and do not use common passwords across multiple sites.

Black Lotus is proactively responding to this threat by testing internal systems and those of managed clients. We have confirmed that no Black Lotus systems have been impacted by this vulnerability and no confidential information such as customer login credentials have been compromised. Regardless, we encourage customers to use the aforementioned tool to test for this vulnerability. In the event that a web server is deemed vulnerable it is important to inspect not only the origin web server but also any proxy, such as a DDoS protection service, that may be handling traffic for the site as an OpenSSL implementation on either could result in a leak.

If you have any concerns about the security of your Black Lotus server or DDoS protection service please contact support@blacklotus.net for immediate remediation assistance.

Post Tags:

at 2:12 PM
Labels: , , ,