UVM School of Business
From: Computer Security at UVM [mailto:[log in to unmask]] On Behalf Of Sam Hooker
Sent: Wednesday, April 9, 2014 8:51 AM
To: [log in to unmask]
Subject: [SECURITY] serious flaw in OpenSSL 1.0.1 (CVE-2014-0160/"Heartbleed")
On Monday night, a serious problem with the software which underpins a large portion of SSL/TLS Internet connectivity (OpenSSL 1.0.1) was announced. Successful exploitation of the "Heartbleed bug" by way of the heartbeat extension to TLS can cause a party to a TLS connection to leak critically-sensitive data such as *private keys*.
Patches are available, and administrators/maintainers of vulnerable network-facing services should apply these immediately and take steps commensurate with the compromise of private keys to be maximally-thorough.
ETS has addressed critical central services and continues to monitor developments.
IS MY SERVICE VULNERABLE?
This vulnerability exists only in OpenSSL's 1.0.1 line. To oversimplify:
In terms of Red Hat Enterprise Linux (since UVM has a RHEL site license), this means RHEL6 running OpenSSL to 1.0.1e.
Comodo (the CA through which ETS procures nearly all of our SSL
certificates) is a decent option:
Qualys' "SSLLabs" unit offers another possibility (be sure to check "Do not show the results on the boards"):
Additionally, there are other options you can run locally on your own equipment. Contact me off-list if you require such an alternative.
Don't forget to consider and test embedded systems/devices that expose TLS-secured services.
WHAT SHOULD I DO WITH MY VULNERABLE SERVICE?
+ Verify that your software provider/vendor/distribution has released an
update that eliminates the vulnerability (and that you can access it).
+ Apply the update.
+ If there is no update available and you have access to source code,
rebuild the software/library with TLS heartbeats disabled.
+ *Regenerate any key material used by this software to date.* It may be
unlikely that your private keys have been compromised, but I recommend taking this conservative stance nonetheless.
+ If it's at all possible to do so without instigating a major problem
for your users, take this opportunity to enable and prioritize ciphersuites which provide forward secrecy.
+ Restart the service to ensure it is now running with the updated software.
+ *Test again* to be sure the vulnerability has been eliminated (and
your newly-enabled ciphersuites are available).
If you have questions or concerns, or need assistance addressing this vulnerability in your services, please contact the Information Security Operations Team at [log in to unmask]
Sam Hooker | [log in to unmask]
Information Security Engineer
Enterprise Technology Services
The University of Vermont