Catalyst Security Advisory: Heartbleed OpenSSL Bug

What is Heartbleed?

The Heartbleed Bug is a serious vulnerability in the OpenSSL cryptographic software library. This vulnerability potentially allows unauthorised access to information protected, under normal conditions, by SSL/TLS encryption used to secure web-based communications.

SSL/TLS provides communication security and privacy over the Internet for applications such as web traffic, email, instant messaging and some virtual private networks (VPNs).

The nature of the vulnerability enables an unauthorised network connection to any SSL/TLS enabled service to access privileged information which could include secure keys, user names, passwords, or any data available. Each request is limited to a 64K byte frame per connection attempt, but multiple connections can be made.

What has Catalyst been doing about it?

As soon as we became aware of the exploit, we began closely monitoring our servers; once the patches were released we immediately began applying them. Catalyst has patched all client external facing systems, beginning on the morning of the 8th of April, and completed early on the 9th of April.

This will protect systems from future exploitation of the vulnerability, but you may want to take further action on a service by service basis to assess the risk that any of your data has been successfully extracted. See below for more information.

As a further measure, Catalyst will also be contacting all its clients to revoke their website certificates and reissue new keys.

What is my risk profile?

The risk and exposure is very much in proportion to the kinds of services you are running, and whether they are publicly accessible or not, in conjunction with the sensitivity of the application involved. This further extends to whether your applications contain security information that may enable access to other applications/services deeper within the organisation. For example, if a web service uses database access credentials that are shared with other applications, then these may also need changing in services that are not public-facing.

The nature of the vulnerability means that any form of data resident in the application service may have been leaked. This includes:

  • secure keys
  • user names and passwords
  • application tokens e.g. for mobile apps
  • service credentials e.g. database access, third party login information such as Sales Force, or credit card authorisation
  • commercially sensitive data

What should I do?

In assessing the actual risk that your organisation faces from the bug, consider the impact of having any of your systems compromised and the data having been extracted.

The New Zealand Internet Task Forces recommendation is that "if you have had a vulnerable server for any length of time at all, it is imperative, that you revoke your website certificate and have it reissued using new crypto keys."

Additionally, if your potentially affected systems and services contain data that is sensitive to you and your customers, then you need to establish whether it is necessary revoke secure keys, passwords and related application tokens.

If in any doubt, talk to Catalyst or other IT security professionals.

Contact Catalyst

Catalyst can assist you with any technical issues, and also with advice regarding risk and mitigation strategies.

If you require more detail, or would like help assessing your risk around the Heartbleed vulnerability and planning your response, please get in touch with your account manager.

More details

http://heartbleed.com/

http://www.nzitf.org.nz/news.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160