Heartbleed is a vulnerability in some, but not all implementations of OpenSSL, a general cryptography library providing open source implementation of Secure Sockets Layer (SSL) and Transport Layer Security (TSL) protocols. Heartbleed allows attackers to read up to 64KB of memory per attack on a connected client or server.
An attacker could, for example, exploit Heartbleed to expose encrypted content, which might include usernames, passwords, or private keys for security certificates.
Heartbleed is considered one of the worst security vulnerabilities in the history of the internet, because around two-thirds of websites use OpenSSL.
Affected versions of OpenSSL were released between March 2012 and April 2014, and include versions 1.0.1 through 1.0.1f. OpenSSL version 1.0.1g was released after the vulnerability had been found and corrected.
The Three Steps Required to Patch Heartbleed
Upgrading to 1.0.1g, however, isn’t enough to protect against the Heartbleed vulnerability. Organizations that used the vulnerable versions also need to issue new security certificates, revoke old security certificates, and generate new encryption keys. As of the end of July, however, a Heartbleed scan by Venafi, a key management technology vendor, found that of servers that had been only partially remediated, 51% had new certificates but had not generated new encryption keys, while 49% had new certificates and new encryption keys but had not revoked the old security certificates.
Unless all three steps are completed, attackers could still use old SSL keys to decrypt communications, or launch man-in-the-middle attacks in cases where the old security certificate had not been revoked.
Was Open Source the Problem?
The fact that OpenSSL is open source wasn’t the problem with Heartbleed. In fact, many argue that open source software is more secure because enough people are looking at it that bugs are more likely to be noticed. Indeed, the Heartbleed vulnerability was found and fixed, and there’s no guarantee that closed source code will always receive the level of review necessary to expose vulnerabilities.
Heartbleed went undetected for such a long time because the OpenSSL Software Foundation was not given the level of support such a widely-used software base should have. OpenSSL only has one full time employee, and only receives about $2,000 per year in donations. Industry heavyweights like Google, Facebook, and Microsoft have recently gotten together and formed the Core Infrastructure Initiative, with the goal of improving funding and development of core open source technologies including OpenSSL, however.
Millions of dollars have been pledged toward support of OpenSSL after the Heartbleed vulnerability.
Best Practices with Open Source Software
With open source software, organizations should conduct their own risk assessments against the most common and pertinent threats to their particular infrastructure. Organizations should also study how quickly patches are issued after vulnerabilities are discovered and how patches are provided. Communication with other organizations about the safety of their real-world deployments are valuable too. An organization shouldn’t think that just because a piece of open source software has been downloaded millions of times that it’s secure.
Finally, organizations should understand that at any time a component of their IT infrastructure could fail or have a vulnerability. They must fully understand dependencies between components, should a piece of infrastructure need to be swapped out after a vulnerability is discovered. This is true whether open source or closed source software is used.
Preventing a Future Problem on the Scale of Heartbleed
Computer scientist David A. Wheeler has written an extensive postmortem on Heartbleed that goes into great detail about types of testing that could have found it sooner, which could be valuable for organizations that want ideas on how to test software for vulnerabilities. Meanwhile, the Core Infrastructure Initiative has pledged millions of dollars toward support of critical open source projects, and OpenSSL is the first project targeted for that support. The OpenSSL Project has recently established a new roadmap to address longstanding problems like lack of consistent project documentation (such as bugs being fixed without being recorded in the bug tracking system), as well as lack of regular reviews of the code.
Meanwhile, any organization that used Heartbleed-affected versions of OpenSSL should proceed as if their security was compromised and take the three steps listed above to ensure they’re not still vulnerable after upgrading to version 1.0.1g.
Comprehensive IT asset management is critical to maintaining your IT infrastructure security, whether you use open source software or not. Samanage offers powerful IT asset management software in a true cloud solution that allows you to run your IT asset management and IT service desk with a unified interface, so you can always stay on top of the status of every piece of hardware and software your organization uses.
About Matt Shanklin
Read more articles by Matt