Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Website Security Solutions

Heartbleed in OpenSSL: Take Action Now!

Created: 09 Apr 2014 • Updated: 11 Apr 2014 • 11 comments • Translations available: Français, Deutsch, Italiano, 日本語, Português, Español
Tom Powledge's picture
+5 7 Votes
Login to vote

ghp-outbreak-flamer-threat-hero-2.jpg

This week a vulnerability dubbed “Heartbleed” was found in the popular OpenSSL cryptographic software library (http://heartbleed.com).  OpenSSL is widely used, often with applications and web servers like Apache and Nginx.   OpenSSL versions 1.0.1 through 1.0.1f contain this vulnerability, which attackers can exploit to read the memory of the systems.  Gaining access to the memory could provide attackers with secret keys, allowing them to decrypt and eavesdrop on SSL encrypted communications and impersonate service providers. Data in memory may also contain sensitive information including usernames and passwords.

Heartbleed is not a vulnerability with SSL/TLS, but rather a software bug in the OpenSSL heartbeat implementation. SSL/TLS is not broken; it is still the gold standard for encrypting data in transit on the Internet. However, due to the popularity of OpenSSL, approximately 66% of the Internet or two-thirds of web servers (according to Netcraft Web server report ) could be using this software. Companies using OpenSSL should update to the latest fixed version of the software (1.0.1g) or recompile OpenSSL without the heartbeat extension as soon as possible.

As the world’s leading Certification Authority, Symantec has already taken steps to strengthen our systems. Our roots are not at risk; however, we are following best practices and have re-keyed all certificates on web servers that have the affected versions of OpenSSL.

After companies have updated or recompiled their systems, Symantec is recommending that customers replace all their certificates -regardless of issuer- on their web servers to mitigate the risks of security breach. Symantec will be offering free replacement certificates for all our customers.   

Finally, Symantec is asking customers to reset passwords to their SSL and code-signing management consoles.  Again, this is a best practice and we encourage companies to ask their end customers to do the same after their systems have applied the fix.  We will continue to work with our customers to minimize the impact of security risks from this vulnerability.

For your convenience, here is a summary of steps to take:

For businesses:

  • Anyone using OpenSSL 1.0.1 through 1.0.1f should update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension.  
  • Businesses should also replace the certificate on their web server after moving to a fixed version of OpenSSL.
  • Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in a compromised server memory.

For consumers:

  • Should be aware their data could have been seen by a third party if they used a vulnerable service provider.
  • Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated to customers that they should change their passwords, users should do so.
  • Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain.

Check out: http://symantec.com/heartbleed  for more information, including on how to test if a server is vulnerable to Heartbleed attacks.

Comments 11 CommentsJump to latest comment

JUSTICE's picture

@ Tom, thank you for this article sir.

Marcus Sebastian Payne
"So cyberspace is real. And so are the risks that come with it."
- President Barack Obama

0
Login to vote
Mick2009's picture

Many thanks, Tom!  Readers may also be interested in this post from Symantec Security Response:

Heartbleed Bug Poses Serious Threat to Unpatched Servers
https://www-secure.symantec.com/connect/blogs/heartbleed-bug-poses-serious-threat-unpatched-servers

With thanks and best regards,

Mick

0
Login to vote
Jeannie Warner's picture

Thanks to your team, Tom, for adding a Heartbleed checker to the SSL Tools page:

https://ssltools.websecurity.symantec.com/checker/

If people click on "Check your certificate installation" it will also check the URL for vulnerability to Heartbleed via the OpenSSL version. Kudos for the quick development response!

0
Login to vote
Aeschylus's picture

Hello,

How can we know  or detect if we are already affected by Heartbleed?

 

Best Regards,

0
Login to vote
Chetan Savade's picture
Hi,

1. Symantec Endpoint Protection clients are not impacted.

2. No versions of Symantec Endpoint Protection 11 (SEP) are impacted. They use an earlier version of OpenSSL which is not vulnerable.

3. SEPM 12.1 RTM to SEPM 12.1 RU1 MP1 are not impacted. They use an earlier version of OpenSSL that is not vulnerable.

4. SEPM 12.1 RU2 to SEPM 12.1 RU4 MP1 (inclusive) are vulnerable. They utilize OpenSSL 1.0.1.

Symantec Public document is available on this issue.
 
KB Article:Is Symantec Endpoint Protection affected by the Heartbleed OpenSSL vulnerability (CVE-2014-0160)

http://www.symantec.com/docs/TECH216558

 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
JUSTICE's picture

Thank you Symantec for the necessary Signature ID (27517) for IDS/IPS http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=sep&pvid=sep1213&year=2014&suid=SEP_Jaguar-SU772-20140410.012

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27517

Marcus Sebastian Payne
"So cyberspace is real. And so are the risks that come with it."
- President Barack Obama

0
Login to vote
Watchdog's picture

I would like to see Symantec implement a few good ideals from its competitors.  Last Pass will run a check on someone's stored logins to see if there is a possible vulneralbilty to this Heart Bleed bug.  They can also import the logins and passwords from their competitors.

Symantic needs to think longer term.  After this bug, there are sure to be others which have similar effects and demand users changing most of their passwords.  Symantic has to be able to help us more quickly deal with an emergency.

0
Login to vote
Nikhil_CV's picture

Good and informative. (Hope someone will rescue the OpenSSL!)

 

-cv

0
Login to vote
Nene's picture

Hi Tony,

 

Thank you for the article. It is really informative. Most manufacturers have listed which of their products are vulnerable and released patches for fixing the affected software and hardware versions.

0
Login to vote
wstom's picture

Today, 4-18-2014 at 1:33 PM I received a Security Alert from Norton stating "...  Some versions of Norton AntiVirus, Norton Internet Security and Norton 360 were impacted."  I was staggered to see that not only did Norton use open source software that they had not adequately tested, but once they realized their own sites were compromised, they waited 9 days to tell us customers about that problem. 9 LOST DAYS WHEN OUR DATA MAY HAVE BEEN OUT THE HACKER WORLD!

Tom ... did you share this wonderful article with anyone else from Norton?  When did Norton fix their software?  We need to trust our antivirus/internet protection vendor ... 9 lost days! You have lost my trust.

Which Norton Executive decided to sit on this info? When will they be fired? 

0
Login to vote
Nene's picture

Hi wstom,

That is not good enough. I believe the personnel that oversaw this untested  software was dealt with.

I believe the damage has been handled appropriately.

Do not lose trust in Norton just yet. The others you may opt for may have worse situations. You may besurprise

I'm not taking sides here. I use other products and I have come to know this.

0
Login to vote