Posted April 28, 2014
Heartbleed: Raised Consciousness for Other Vulnerabilities
– by Eric Wolff
Beyond OpenSSL, consider attack vectors for DNS and IPv6
Heartbleed has been a hot topic for the past few weeks. Heartbleed refers to a bug in the widely-used OpenSSL wherein a hacker can acquire the encryption key used by a web server running OpenSSL, open-source software implementing SSL/TLS. Once the hacker has the encryption key, they have the power to do serious damage like stealing valuable information and credentials. This has gained attention from the cybersecurity community because the results can be terrible.
Within CloudShield we’ve had conversations about Heartbleed. It clearly has harmful effects and the responsibility for dealing with it falls on a wide range of players. They include people just like you and me, all the IT teams running websites that use OpenSSL, and plenty of unfortunate hardware vendors that have to patch their products against the bug.
More importantly, the way that Heartbleed seemingly came from nowhere to be so disruptive reminds me of risks to other network protocols upon which we similarly depend.
Avoiding personal ramifications from Heartbleed
I feel fortunate that I use lastpass as my personal password manager. It surfs the sites I use and advises which ones use OpenSSL and therefore are subject to Heartbleed, even those that have not yet been patched. It advises me to change passwords for all OpenSSL sites. For me, this is no easy task since the number of sites whose password change pages conflict with lastpass’ password generator is quite large. At least I feel a bit more protected from Heartbleed.
What’s in store for IT teams running OpenSSL?
A lot of patching. For IT teams running OpenSSL, Heartbleed will cause pain, take time, and cost money, but this is better than the alternative. It will be a tremendous amount of work, but hopefully the organizations with many servers have them set to auto-update, after which they can replace SSL keys. The cowboys without auto-update know what they have to do.
Will Heartbleed broadly affect appliances?
My personal opinion about various network infrastructure equipment and appliances delivering consumer and business services built with Linux versions that use OpenSSL, and therefore are affected by the bug, is that the security risk can’t be too big for most of them. Why? Because I think that the vulnerability is for their management interfaces, and I would expect and hope those would be available only from inside the organization using them.
It’s time to think about the vulnerabilities we’ve been ignoring
I like this quote from the Monday morning staff meeting: “The thing about open source, you know, is that it’s developed and tested for functionality but not for security.” This makes me think about what is perhaps the granddaddy of open-source software and the core of the Internet – Berkeley Internet Name Domain or BIND.
I have plenty of respect for the folks at Internet Systems Corporation (ISC) because I think they test for both functionality and security, but let’s face it…BIND is a big piece of software and vulnerabilities in it are still uncovered periodically. Do you know how important your DNS is to your organization? DNS is far more ubiquitous, and more important, than SSL. After all, if you can’t get to a site, you can’t start an SSL session.
Another common vulnerability that Heartbleed should make you think about
DNS aside, here’s another vulnerability that may be off your radar: IPv6. Perhaps you have IPv6 disabled at your border router or you think you’re not running IPv6. But since the birth of IPv6, there have been tunneling protocols that carry it over IPv4 and your firewall and IPSs are not examining those tunnels.
Now think about Heartbleed. Could you have imagined that any bug could have affected so many so quickly? The breadth and scale are enormous.
Heartbleed is an important bug in a specific implementation, OpenSSL, of a protocol, SSL/TLS, upon which many depend. The purpose of this article was to tie our new awareness of such bugs to some risks inherent in one protocol that’s even more common than SSL, DNS, and risks inherent in a long-term extant and rapidly emerging protocol, IPv6. I hope Heartbleed has raised your consciousness to these other vulnerabilities.