Thursday 10 April 2014
This Post details the implications and status of the Heartbleed Bug that has just been discovered/reported:
What is this about?
This is a serious security issue that has a widespread global coverage. Starting from today we are seeing the mainstream-media also pick up on this issue and report on it (e.g. ABC News at 10am today).
It affects Secure Socket Layer (SSL) based encryption, such as that used for Website traffic encryption (i.e. https:// ) and some SSL-based VPN encryption systems, via versions 1.0.1 and 1.0.2-beta of OpenSSL. OpenSSL is used by more than half of all websites, but not all versions have the vulnerability.
The exploit uses a vulnerability in the above encryption technologies and then an attacker uses that to potentially read-only view a small segment of memory on the host server, which may or may not contain sensitive information. Technical information on this vulnerability is here: http://heartbleed.com/
When was a “fix” released?
OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug, and in the days that followed this was incorporated into various software vendor/open-source patch/update packages, for application onto affected servers.
Also, although not directly related as a fix, vendors and security consultants are recommending as a further precaution that users change passwords on systems such as website applications.
What has Mach done?
Following publication of the security alert by the authorities, Mach immediately completed a full audit of all systems that utilise OpenSSL technology, and identified those that required the patched version of OpenSSL – which was applied immediately to all systems in a risk-prioritised order within 24hrs. No Firewall or Router infrastructure was affected.
A small number of clients will also need to have SSL Certificates re-created (e.g. for VPN based use) and Mach will work with these clients through this process.