Heartbleed Aftermath: What You Need to Know

Wed, 05/14/2014 - 09:05

By Steve deRosier, Systems Engineer III

By now, most people have heard about the Heartbleed Bug, a vulnerability in the OpenSSL encryption libraries. This particular security bug has had wide ranging implications for nearly any device or computer connected to the internet as well as the internet's infrastructure itself. I've been asked many questions over the last month about this bug, so I thought I'd share a few things and try to help clarify the issue.

What is Heartbleed?

In short, Heartbleed is a vulnerability that allows users connected to a system to read the memory of a system running a vulnerable version of OpenSSL. An attacker can use this bug in OpenSSL's implementation of the TLS/DTLS heartbeat extension to ask for more information than it should, and OpenSSL responds with the extra information. Figure 1 explains it more clearly.

How does Heartbleed affect the general public?

OpenSSL is the encryption library utilized in many open-source software products. The most common encounter people have with OpenSSL is in the SSL encryption of a website. Countless secure sites, including those of banks, governments, etc., were vulnerable to this security hole. Wikipedia estimates approximately 17% of secure web servers have been affected and it is unknown how many remain vulnerable. Worse than that, many of our infrastructure devices also run OpenSSL internally. The common wireless routers that we use in our homes most likely have OpenSSL inside them.

Most secure sites and product manufacturers have applied fixes and notified their customers. Even after a fix is applied, all passwords need to be changed and security certificates need to be revoked and reissued. As you might imagine, this is a fairly large task!

It is useful to keep in mind that Heartbleed by itself can only expose information that is in the memory of the software running OpenSSL. For example, on a secure webserver this means recent logins and security credentials are the key items. Data sitting on the webserver's hard drive (like your credit card transactions) won't typically be in the server's memory unless you're actively accessing it. Of course, if an attacker gets the passwords or other credentials, they may be able to leverage that access to reach other data. Therefore, it is critical to change passwords after a site has notified you that this issue has been fixed.

How does Heartbleed affect Laird's products and customers?

Ah, the most important question. We do utilize OpenSSL in our Linux-based devices like the WB45NBT. Within two hours after being notified of the problem, we had the fix applied to the code and had initiated a release-candidate build. At this point, all new releases of our Linux-based code incorporate this fix and are not vulnerable.

Existing Laird customers running an older release may contact support at ews-support@lairdtech.com to find out if their product is vulnerable and what to do about it.

 

heartbleed_explanation Figure 1: Source- xkcd.com

Sources:

http://heartbleed.com/

https://www.openssl.org/news/secadv_20140407.txt

http://en.wikipedia.org/wiki/Heartbleed