Vulnerability in the OpenSSL library requires immediate actions from web service providers
10.04.2014 klo 16:15
The vulnerability in the OpenSSL library enables the copying of the content in the vulnerable servers' memory. By exploiting the vulnerability, it has been possible to copy from the web server users' username and password pairs, cookies, session-specific keys, as well as secret keys used by the service.
If the server's secret keys have fallen into wrong hands and the Perfect Forward Secrecy (PFS) functionality has not been used for encryption, it is possible to decrypt previous network traffic of the server.
Servers equipped with a vulnerable OpenSSL library should be updated immediately. NCSC-FI has observed search operations for vulnerable servers and active exploitation of the vulnerability.
Only part of the web services using SSL encryption are vulnerable. NCSC-FI at FICORA is examining the number of vulnerable services in Finland. According to NCSC-FI's observations, Finnish web service administrators have actively upgraded vulnerable software.
In case eventual instructions are published, end-users of web services should actively read official notices by web service administrators.
On 10 April, NCSC-FI updated its OpenSSL advisory with a list of vulnerable software.
Target group of the alert
- Server maintainers using the Open SSL library
Possible solutions and restrictive measures
- Upgrade the OpenSSL library in the vulnerable servers in accordance with FICORA's advisory and instructions issued by server software manufacturers.
- After the update of the OpenSSL library: change the server encryption keys used by the server, e.g. SSL certificates.
- In case eventual instructions are published, end-users should actively read official notices by network service administrators.
- It is recommended to consider the use of the Perfect Forward Secrecy (PFS) encryption features. These features help to prevent eventual exploitation of previously stored traffic if the key material ends up in wrong hands.