Heartbleed OpenSSL Vulnerability Information for System Administrators
On April 7, 2014, a serious vulnerability in the OpenSSL cryptographic software library was exposed. This weakness, dubbed The Heartbleed Bug, allows a remote attacker to access system memory which may contain encryption keys, user credentials or other sensitive information.
OpenSSL provides communication security and privacy over the Internet for many applications, including web, email, instant messaging (IM) and some virtual private networks (VPNs).
What is the risk?
This bug has left large amounts of sensitive data exposed to attackers. Exploitation of the Heartbleed bug leaves no trace, and thus requires everyone to take this exposure seriously.
In a worst-case scenario, leaked encryption keys allow an attacker to decrypt traffic, both current and past, to the protected services. An attacker may also impersonate the service at will.
Read the full story online: http://heartbleed.com/
If you have servers that are vulnerable to this attack, please remediate as quickly as possible following these steps:
- Update the OpenSSL code as required
- Replace the public/private keys and associated SSL/TLS certificate associated with that server/those servers, revoking the earlier (now potentially compromised) SSL/TLS certificate(s).
- Review the configuration of each SSL/TLS server using: https://www.ssllabs.com/ssltest/ evaluation page (note that you can check the box "Do not show the results on the boards" should you desire to do so).
- As part of reviewing those results, you may want to consider enabling ciphers that support Forward Secrecy (see http://en.wikipedia.org/wiki/Forward_secrecy for basic background). Please note that enabling this feature may have unintended consequences (such breaking your application).
- If the server was used to login to access secure services and passwords may have been exposed, you may need to notify your users to change their passwords.
If you cannot remediate your server and it is being used to access sensitive information, ITS may block access to the server until it can be remediated.