1. /
  2. Heartbleed Vulnerability

Open SSL and Heartbleed Vulnerabilities

Flamer Threat

Heartbleed: Information from Symantec on OpenSSL Vulnerability

We will be updating this page with new information as it becomes available, so please check back regularly.

Latest Updates

Subscribe for updates RSS Feed
June 5, 2014 (6:00 PDT):
On June 5th, the OpenSSL security team released a security advisory and fixes for seven newly discovered vulnerabilities, two of which are considered critical. One of the critical vulnerabilities (CVE-2014-0224) could let an attacker carry out a man-in-the-middle attack(MITM), allowing them to intercept encrypted traffic between a vulnerable client and a vulnerable server.  While CVE-2014-0224 may seem similar to Heartbleed, it is much harder to exploit since it requires an attacker to intercept the communication between the client and server. 

At this time, there are no reports of these vulnerabilities being exploited in the wild and no proof of concepts have been shared.

For more details on these vulnerabilities, please refer to Symantec’s  Security Response blog post.
Currently, the impact on Symantec products is unknown and still being investigated.

April 25, 2014 (11:00 PDT):
Symantec previously released two IPS signatures. The first IPS signature, Symantec IPS 27517, Attack: OpenSSL Heartbleed CVE-2014-0160 3, detects and blocks attempts to exploit HeartBleed on vulnerable servers. The second IPS signature, Symantec IPS 27539, Attack: OpenSSL Reverse Heartbleed CVE-2014-0160, detects and block attempts to exploit HeartBleed through vulnerable client applications. While this signature is meant to stop exploitation of the vulnerability, the only sure way to stop these attacks is by patching the vulnerability.
April 18, 2014 (16:27 PDT):
Symantec has posted a new blog written by our Security Response team titled, "Dr. Strangebug, or How I Learned to Stop Worrying and Accept Heartbleed", which offers a new perspective on the recent Heartbleed vulnerability and tips to minimize your risk. Additionally, we're continuing to update our product matrix daily with the latest Symantec product information. We encourage our customers to keep checking this page and specific product support pages for current information and updates.
April 13, 2014 (15:15 PDT):
Symantec has posted a matrix with the latest Symantec product information. We will continue to update this with new information. We encourage our customers to keep checking this page and specific product support pages for current information and updates.
April 11, 2014 (22:35 PDT):
Symantec has identified that some of its products may be impacted by the OpensSSL vulnerability, dubbed Heartbleed. We have begun issuing advisories to our customers to alert them and provide mitigation solutions while we work to deploy any necessary patches. To date, we have not seen any malicious exploitation of this vulnerability. We encourage our customers to check specific product support pages, and this page for information and updates as well.
April 10, 2014 (15:15 PDT):
Our product teams are continuing their investigations of whether any products are impacted by this vulnerability. We recommend that you check your Symantec product support pages for the latest updates from these teams. You can subscribe to any Knowledge Base (KB) documents on the product support pages to ensure you automatically receive updates with any new information.
April 9, 2014 (21:00 PDT):
Symantec is aware of and currently investigating the OpenSSL vulnerability, dubbed “Heartbleed”, which allows attackers to read the memory of the systems using vulnerable versions of the OpenSSL open source library. We will provide updates as they become available.

Situation Overview

Symantec is aware of and currently investigating the OpenSSL vulnerability, dubbed “Heartbleed,” which allows attackers to read the memory of the systems using vulnerable versions of the OpenSSL open source library. This allows access to sensitive information such as private keys of certificates and login credentials, or other personal data.
“Heartbleed”, or the OpenSSL TLS 'heartbeat' Extension Information Disclosure Vulnerability (CVE-2014-0160), affects a component of the OpenSSL library that offers a heartbeat functionality. OpenSSL is one of the most widely used implementations of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols.
More information is available on the Symantec Security Response blog.

Scope of Vulnerability

  • This is not a vulnerability with SSL/TLS
  • SSL/TLS is not broken, nor are the SSL certificates issued by Symantec
  • Users of Open SSL versions 1.0.1 through (and including) 1.0.1f are affected

Product Information

What Symantec products are affected by this vulnerability?

Symantec has posted a matrix with the latest Symantec product information. We will continue to update this with new information. We encourage our customers to keep checking this page and specific product support pages for current information and updates.

Has Symantec released any signatures to protect against the OpenSSL vulnerability?

Yes. Symantec has released two IPS signatures. The first IPS signature, Symantec IPS 27517, Attack: OpenSSL Heartbleed CVE-2014-0160 3, detects and blocks attempts to exploit HeartBleed on vulnerable servers.

The second IPS signature, Symantec IPS 27539, Attack: OpenSSL Reverse Heartbleed CVE-2014-0160, detects and block attempts to exploit HeartBleed through vulnerable client applications.

While this signature is meant to stop exploitation of the vulnerability, the only sure way to stop these attacks is by patching the vulnerability.

If certificates were used on affected servers, should companies revoke and reissue their certificates?

Yes. As the world’s largest Certification Authority, Symantec has already taken steps to patch systems using affected versions of OpenSSL. Additionally, we are following best practices and have re-keyed all certificates on web servers that used affected versions of OpenSSL. We highly recommend that the community at large follow these best practices as well.

Does Symantec charge for revoking and reissuing of its certificates?

While there was never an issue with Symantec Certificates, to address the OpenSSL bug, we will be offering replacements free of charge for our existing customers and the old certificates will be revoked.

Is there any information from Symantec regarding this vulnerability?

An overview of the vulnerability is available on the Security Response blog.

How to Minimize Your Risk

Advice for Businesses
  • Check your version of OpenSSL and either:
  • (1) Recompile OpenSSL without the heartbeat extension with the -DOPENSSL_NO_HEARTBEATS flag
  • (2) Update to the latest fixed version of the software (1.0.1g) if you are using OpenSSL versions 1.0.1 through (and including) 1.0.1f
  • After moving to a fixed version of OpenSSL, as part of best practices, contact the certificate’s issuing Certification Authority for a replacement
  • Finally, and as a best practice, businesses should also consider resetting end-user passwords that potentially may have been visible in a compromised server memory
Advice for Consumers
  • Be aware that your sensitive data such as passwords may have been seen by a third party if the sites you visit used a vulnerable version of the OpenSSL library.
  • Monitor any notices from the vendors or companies you use. Once a vendor has communicated to you to change your passwords, do so promptly.
  • Watch out for potential phishing emails from attackers asking you to update your password. To avoid going to an impersonated website, stick with the official site domain.
  • Stick to reputable websites and services. They are most likely to have immediately addressed the vulnerability.
  • Monitor your bank and credit card statements to check for any unusual transactions
Heartbleed Webcast