Background
On April 7, 2014, OpenSSL released a security advisory describing a vulnerability known as The Heartbleed Bug.
Impact
An attacker could leverage a missing bounds check in the handling of the TLS heartbeat extension on systems with vulnerable versions of OpenSSL to reveal up to 64k of memory per request. The revealed memory could contain anything including usernames, passphrases, private keys and the content of encrypted data. http://heartbleed.com/ has been set up with extensive technical information on the vulnerability.
Platforms Affected
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
Redhat Linux has released an advisory. Affected versions are:
- Red Hat Enterprise Linux Desktop (v. 6)
- Red Hat Enterprise Linux HPC Node (v. 6)
- Red Hat Enterprise Linux Server (v. 6)
- Red Hat Enterprise Linux Server AUS (v. 6.5)
- Red Hat Enterprise Linux Server EUS (v. 6.5.z)
- Red Hat Enterprise Linux Workstation (v. 6)
- Red Hat Storage Server 2.1
- Red Hat Enterprise Virtualization 3
This issue DID NOT AFFECT Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.4 and earlier.
Ubuntu Linux has released an advisory. Affected versions are:
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
NOTE: Other operating systems and embedded devices may be affected. Please refer to your vendor's website for security advisories and updated packages.
Local Observations
The UISO has observed the Heartbleed bug being attacked on the University network, and is working with the system owners to address the issue. We expect scanning and attacking to increase so all system owners should update affected systems ASAP.
UISO Recommendations
Affected users should immediately upgrade to OpenSSL 1.0.1g via source, or install the latest updated OpenSSL packages from their vendors (please see their security advisories above).
Please note that even though the updated Red Hat Linux packages show a version number that is vulnerable (openssl-1.0.1e), they contain a backported patch to correct this issue.
For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted.
The following command may help identify services and programs that need restarting: "sudo lsof |grep ssl |grep DEL".
Owners of affected systems should create new encryption keypairs and SSL certificates after updating OpenSSL and restarting services. Old SSL Certs from affected systems should be revoked after being replaced. System owners with InCommon SSL Certificates can request revocations of certificates themselves, or email ca-admin@uiso.iu.edu for assistance.
To be as safe as possible, all users that have logged in to affected systems should change the passphrases that they used on those systems. Systems administrators with affected systems should notify their users to change their passphrases.
Workarounds
System owners unable to immediately upgrade can alternatively recompile OpenSSL from source with -DOPENSSL_NO_HEARTBEATS.