About the Bug
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This vulnerability allows stealing of protected information, under normal conditions, through the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of systems protected by vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service provider and to encrypt the data that flows through the channel, including name and password of a user and the actual content. This allows attackers to eavesdrop(pry) on communications, steal data directly from the services and users and impersonate services and users (heartbleed, 2015).
Heartbleed is actually a programming fault in popular OpenSSL library that provides cryptographic services such as SSL/TLS to applications and services. It is not a design flaw in SSL/TLS protocol specification.
When Heartbleed was initially discovered by Google security team on April 1, 2014, about 615,268 servers were vulnerable of the bug. According to zmap.io, there are still more than 1000 popular servers that are infected by this bug after more than a year of being discovered.
Case in Nepal – Impact and Solutions
Last week I looked at the telnet daemon running on the Nepali cyberspace. I sat and started searching for the most dangerous bug and its impact in Nepal. On my search a week ago, I had found some 49 devices affected by the Heartbleed vulnerability. Today (December 28th 2015) when I searched again, only 46 domains were found to be affected by it. Which means 3 servers had been patched during the week. Though, the bugs should have been patched a year ago, it is a good sign that some people are fixing the vulnerability.
If the servers affected by the vulnerability are categorized by ISPs, it looks as follows:
- Subisu Cablenet – 10
- WorldLink Communications- 6
- Websurfer Nepal – 3
- Sing Net Pte Ltd – 3
- Nepal Telecom – 3
- Others – 21
Please Note that the list above does not indicate that the organizations themselves are infected, but their pool of IP addresses used by their clients are vulnerable.
Now, let’s look at it from another dimension. 12 FortiGate 50B devices are still affected by heartbleed which are widely used by the Banks in Nepal for VPN connections. Few days back the number was 15, but when I re-checked them again it looked like 3 devices were patched within the short interval of my first test and second test, which again is a good sign. We cannot stay assured by the small number of fixes, there are many devices that still need to be fixed.
Most of these affected servers are mail servers, which means those mail servers are not secure, and anyone with some knowledge on exploiting Heartbleed can read the passwords and other several confidential data in plain text which may lead to the whole mail server being compromised. The exploits to exploit heartbleed are publicly available. Anyone with the payload can grab the necessary information from the server with very little effort.
Further, 21 web servers are affected by the bug are running Apache http, which means whatever data they are transferring via SSL tunnel can be easily read by attackers.
Wrapping it up
12 UTM firewall devices and 21 email servers are affected, which means more than 1,000 end users are affected indirectly through those servers who use any service from those servers. For instance “Fortigate 50B” is the UTM device widely used by banks. The banks are depending on their firewall, IDS/IPS, VPN and other security control devices to protect themselves from several attacks. But they are unaware about the fact that the device intended to protect their infrastructure itself are not secure. This means, those organizations are not paying enough attention to the security of their infrastructure and the local vendors are passive on fixing those bugs. There is a huge gap in managing the information security in those organizations. Information security is not an absolute process but rather a continuous process. So placing the Unified Threat Management ( UTM) devices in the perimeter does not make your network secure; and if you keep such vulnerable devices, it will add an additional attack vector for attackers to get additional door to break your security control and weaken your security instead of strengthening it.
On the other hand, our Information Security Governance is very weak or non existent, which has resulted in thousands of users being vulnerable to years old vulnerabilities. Simply patching the OpenSSL to the latest version could have solved the problem but as I said earlier weak or no information security management and poor IT governance is becoming a hindrance to solve the issues in time to protect the organization and its users. Organizations (and their top management) must act now to improve their Information Security Governance before it’s too late.