With the widespread use of OpenSSL across enterprise applications and servers, the newly announced OpenSSL Heartbleed vulnerability has introduced a level of risk and vulnerability that organizations need to take seriously.
As a market leader in security, Trend Micro can help you understand and address this vulnerability. Some straight talk on the issues and what customers can do follows.
The Heartbleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library. OpenSSL is an implementation of the SSL/TLS encryption protocol used to protect the privacy of Internet communications. OpenSSL is used by many web sites and other applications like email, instant messaging, and VPNs.
The Heartbleed vulnerability allows an attacker to read the memory of systems using certain versions of OpenSSL, potentially allowing them to access user names, passwords, or even the secret cryptographic keys of the server used for SSL. Obtaining these keys would allow malicious users to observe all communications on that system, allowing further exploit.
According to Netcraft data: although 66% of sites use OpenSSL, only 17% are susceptible to the Heartbleed bug, as of April 8th, 2014.
Given that this vulnerability has existed for at least two years, an organization that has deployed servers running OpenSSL (versions 1.0.1 through 1.0.1f) during this timeframe is likely vulnerable to the Heartbleed bug and should take immediate steps to remediate.
Although there have been no successful Heartbleed attacks documented to date, but that does not mean they have not happened. Accordingly, even if your organization is not currently vulnerable, it may have been so in the past and it should be assumed that remediation is required if you have deployed the vulnerable OpenSSL versions.
While the use of OpenSSL is widespread, the impact of Heartbleed is mitigated depending on the configuration of the systems using it.
If you use OpenSSL and are unsure if you are affected, a public test tool is available to quickly confirm if you have the vulnerability. Customers of Trend Micro Deep Security for Web Apps can run a full vulnerability scan on their web applications to check for the Heartbleed bug.
Trend Micro is thoroughly investigating to see if any of our products and services may be affected by the OpenSSL Heartbleed vulnerability. Check here for updates of our investigations.
If your server currently makes use of OpenSSL 1.0.1 through 1.0.1f, then you likely are vulnerable. Take these steps now:
Even if a server is not currently vulnerable, if at any time OpenSSL 1.0.1 through 1.0.1f have been deployed, this bug could have been exploited and there is a small chance that the private cryptographic key used for the SSL/TLS protocol may have been compromised. This is significant as it has the potential to allow an attacker to eavesdrop on all server communications-even if the OpenSSL library has been subsequently upgraded. Accordingly, organizations should reissue their SSL certificates with newly generated keys:
If a system is or has been vulnerable, organizations should assess the type of information that may have been compromised. In some cases, if sensitive information such as account passwords and credit card numbers has been compromised, organizations may choose to advise their customers of this risk and recommend they update their credentials.
Countless organizations are spending unplanned days testing and patching their systems in response to this widespread vulnerability. And you can be sure that more unknown vulnerabilities are out there. Trend Micro provides a comprehensive range of security capabilities for endpoints and data centers that can help to both detect issues and protect them from being exploited.
Continuous vulnerability scanning. The first step in remediating a bug like Heartbleed is to detect it. Organizations should be continuously testing their deployed web applications for the latest vulnerabilities. Trend Micro Deep Security for Web Apps provides automated application and platform scanning, augmented by logic testing by security experts, providing you actionable insights into vulnerabilities.
Immediate SSL certificate reissue. In response to Heartbleed, affected organizations need to rekey and reissue their SSL certificates—–a time consuming process. Deep Security for Web Apps allows customers to readily rekey their SSL certificates, and reissue them in a matter of minutes, to minimize the time critical systems are exposed to vulnerability. Further, innovative licensing allows customers to issue unlimited publicly rooted SSL certificates for their servers and also upgrade to higher security Extended Validation (EV) certificates at no additional cost.
Instant virtual patching. Upgrading libraries like OpenSSL needs to be done with care to ensure other functionality is not impacted–usually through regression testing. This takes time and prolongs exposure to vulnerability. Trend Micro Deep Security provides advanced intrusion detection and prevention and enables customers to virtually patch systems (PDF). This allows immediate blocking and protection from attacks seeking to exploit vulnerabilities without requiring an update to the server configuration, lowering risk and reducing immediate operational impacts.
Detection of targeted attacks: Trend Micro Deep Discovery enables organizations to detect when targeted attacks are happening inside the network. With new rules in place for the Heartbleed bug and a detection rate that leads the industry (see: Trend Micro Deep Discovery earns Top Breach Detection Score in NSS Labs testing), Deep Discovery enables customers to protect themselves from targeted attacks both today and in the future.
Mark Nunnikhoven, Trend Micro's principal engineer for cloud and emerging technologies, explains the challenges that organizations face with OpenSSL Heartbleed, what you can do now, and how Trend Micro can help.
Trend Micro threat defense experts are tracking the Heartbleed bug and sharing their findings with you in the following blogs. You can follow our Blogs for the latest developments:
To help you protect against the Heartbleed bug that is eroding SSL security features on websites worldwide, Trend Micro has released two free Heartbleed scanners for computers and mobile devices. The scanners are designed to verify whether you are communicating with servers that have been compromised by the Heartbleed bug.
Trend Micro Heartbleed Detector scans your Android mobile device for possible risk and helps you stay away from the Heartbleed bug.
What does Heartbleed Detector check on your mobile device?
Download now via Google Play.
Available for Mac and Windows-based computer users, the Trend Micro Heartbleed Detector is a multi-platform plug-in for Chrome that enables you to check for vulnerable URLs.
Easily check if any website suffers from the Heartbleed vulnerability to avoid putting your security at risk.
Install now with a single click!