Over the last few days the press has been full of stories about the vulnerability in OpenSSL that allows unauthenticated retrieval of memory blocks up to 64kB in size – and that retrieved memory could contain encryption keys. This vulnerability has been officially recorded as TLS heartbeat read overrun (CVE-2014-0160) and is a serious vulnerability which has a CVVS2 Base Score rating of 9.4. There is an official fix for the vulnerability, which requires either installing OpenSSL 1.0.1g or recompiling OpenSSL with the DOPENSSL_NO_HEARTBEATS flag set.
The vulnerability does not affect all deployments of SSL, only those which use vulnerable installations of OpenSSL, so Microsoft base installations should not be affected. A key check for organisations will be to scan their servers to see if they are affected. Vulnerability scanner vendors such as Tenable have released plugins or modules that detect this vulnerability through their update services like the Nessus profession feed. Nessus released their plugin and announced it on their RSS feed on Wednesday. As the vulnerability has been announced and exploits are publicly available, it is now critical that organisations patch their servers before the attackers successfully use the exploit. – This exploit is suitable for the lesser skilled “script kiddies” to use, so it can be expected that attacks will be conducted out of curiosity by the vast army of script kiddies out there.
Organisations must determine if they are vulnerable, patch and then gain assurance the patch has been successfully deployed. The use of vulnerability scans and 3rd-party penetration testing can help with this activity. Once patched, an organisation can then advise its users on the best action to take, such as changing passwords.