Archive for April, 2014

9
Apr

Heartbleed – OpenSSL Heartbeat Extension Vulnerability in IpTL Appliances

Posted by Comments Off on Heartbleed – OpenSSL Heartbeat Extension Vulnerability in IpTL Appliances

Advisory ID: iptl-20140904-01-rev01
Release 2014 April 9 00:00  UTC (GMT)

General Overview of the Heartbleed Vulnerability

On April 8, 2014 United States Computer Emergency Readiness Team (US-CERT) announced a confirmed vulnerability for systems employing the OpenSSL library crypto-suite.  OpenSSL versions 1.01. through 1.0.1f contain a defect in the TLS heartbeat extension service. 

Using this vulnerability an attacker can retrieve blocks of memory of a server up to 64kb in size. There is no limit on the number of attacks which can be performed and there is no attacker control over which memory region the block is read from. 

Sensitive information that can be obtained is:

  • Primary key material (secret keys)
  • Secondary key material (user names and passwords used by vulnerable services)
  • Protected content (sensitive data used by vulnerable services)
  • Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

 

Heartbleed and IpTL Appliances

All IpTL appliances make use of the OpenSSL crypto library.   Although, all IpTL appliances using firmware versions prior to 3.2.5.1 contains the OpenSSL library defect, IpTL appliances provide unique out-of-the box protection even in light of such a vulnerability.  

The standard features in all IpTL appliances which provide continued protection from this vulnerability are:

  • Perfect Forward Secrecy (PFS)
  • Tunnel Auth passphrase

IpTL appliances operate with Perfect Forward Secrecy (PFS.) PFS operation generates random keys per session for the purposes of key agreement and are not based on any sort of deterministic algorithm or key material.   This means that the compromise of one message cannot lead to the compromise of others, and also that there is not a single secret value which can lead to the compromise of multiple messages.  In relation to Heartbleed, the private keys of an IpTL appliance are never in a position to be exposed. 

Additionally, the Tunnel Auth  feature, under tunnel options, eliminates any ability for an outside attacker to inject, compromise, and obtain data.

Even though vulnerability exists in OpenSSL, IpTL appliances still provide non-compromised protection of your connectivity.

 

Updated Firmware Released

In following with IpTL’s best practices we have released firmware version 3.2.5.1 for its appliances.  This firmware eliminates the Heartbleed bug.   Please email support@IpTechnologyLabs.com for your link to this firmware or contact your integrator.

We encourage all customers to upgrade to stay current with security, operational, and feature updates.  This firmware is free of charge.

 

Links to additional information

https://www.us-cert.gov/ncas/alerts/TA14-098A

http://www.openssl.org/news/secadv_20140407.txt

Category : Security Advisories | Blog