Background Color:
Background Pattern:

Articles & Service Announcements

Thursday, April 24, 2014

The Heartbleed OpenSSL Vulnerability – What You Need to Know

The recently discovered Heartbleed bug in the OpenSSL library affects absolutely every internet user.

In response to the numerous support questions we have received over the last two weeks from concerned clients, I feel it is prudent for us to address this frequently raised topic. Before I construct any more words, I want to state; IHOST LLC hosting services ARE NOT AFFECTED. We provide a pure Windows hosting service environment and therefore have never used OpenSSL library which is at the core of this vulnerability. If you host your websites or applications with us, you should be in good shape. However, read on to understand the scope of this issue and how you are potentially exposed.

OpenSSL Heartbeat (Heartbleed) Explained

OpenSSL Heartbeat (Heartbleed) Explained

This video explains how the OpenSSL heartbleed vulnerability works.
 You may have heard of this “bug” in OpenSSL library known as “heartbleed” also calcified as CVE-2014-0160. Perhaps you have even seen the press releases from the major internet giants like Google, Facebook, Yahoo, and others that are scrambling to patch their servers. However, this bug is at the core of the popular OpenSSL library implementation of “heart beat” protocol that allows an attacker to read up to 64KB of memory space completely untraceable to the victim. 

 So what’s the big deal you may ask? Why should I be concerned? First and most importantly, is that the issue with this particular bug is the duration of this vulnerability from December 2011 until 7th of April 2014 and possibly longer since it’s almost impossible to predict how soon all the vulnerable client and server software products will remain in use. The second issue with this bug is its nature. The heartbleed bug leaks out 64KB of memory near the memory space of executing OpenSSL library which can expose to an attacker just about any type of data. From SSL encrypted login information users are submitting to the server, to any other data that is being processed or held in the memory space adjacent to a vulnerable OpenSSL implementation. This bug is also affecting the client software such as web browsers that can potentially allow a malicious server to gain access to your machine, fully circumventing any firewalls, IPS, or other means to stop this type of attack. In fact, the security appliances themselves are now vulnerable, as many include OpenSSL implementation within their management consoles. 

Hearbleed Attack Demonstration

Hearbleed Attack Demonstration

This video shows how easy it is to obtain login information from e-commerce hosted on vulnerable server using one of the common hearbleed tools. This method works on any connected device that has vulnerable OpenSSL library.

Am I affected?
You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many online services use TLS to both identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore, you might have client-side software on your computer that could expose the data from your computer if you connect to compromised services.

Can an attacker access only 64KB of the memory?
There is not a total of 64 kilobytes limitation to the attack. This limit applies only to a single heartbeat. An attacker can either keep reconnecting, or, during an active TLS connection keep requesting an arbitrary number of 64 kilobyte chunks of memory content until enough secrets are revealed.

Can the heartbeat extension be disabled during the TLS handshake?
No. Vulnerable heartbeat extension code is activated regardless of the results of the handshake phase negotiations. The only way to protect yourself is to upgrade to a fixed version of OpenSSL or to recompile OpenSSL with the handshake removed from the code.

Can IDS/IPS detect or block this attack?
No. The vast majority of commercially available intrusion detection and prevention systems (IDS/IPS) cannot differentiate legitimate SSL encrypted traffic from the malicious.

Can I detect if someone has exploited this against me?
Exploitation of this bug does not leave any trace of anything abnormal happening to the logs. Furthermore, this bug has existed in the wild for over 2 years, so the scope of potential security exposure may never be known.

How can I check if I’m vulnerable?
There are currently a number of online and other tools available to check for this particular vulnerability. Here is the one we recommend

Please login or register to post comments.