Vulnerability in the OpenSSL library requires immediate actions from web service providers

Scanning targeted at the exploitation of a vulnerability in the OpenSSL library has started after the advisories were published. It is recommended that vulnerable servers using the OpenSSL library are upgraded immediately. Server certificates of the vulnerable servers must be changed after the server update. It is recommended that the passwords of the persons using the server is changed in a controlled manner.

The vulnerability in the OpenSSL library enables the copying of the content in the vulnerable servers' memory. By exploiting the vulnerability, it has been possible to copy from the web server users' username and password pairs, cookies, session-specific keys, as well as secret keys used by the service.

If the server's secret keys have fallen into wrong hands and the Perfect Forward Secrecy (PFS) functionality has not been used for encryption, it is possible to decrypt previous network traffic of the server.

Servers equipped with a vulnerable OpenSSL library should be updated immediately. NCSC-FI has observed search operations for vulnerable servers and active exploitation of the vulnerability.

Only part of the web services using SSL encryption are vulnerable. NCSC-FI at FICORA is examining the number of vulnerable services in Finland. According to NCSC-FI's observations, Finnish web service administrators have actively upgraded vulnerable software.

In case eventual instructions are published, end-users of web services should actively read official notices by web service administrators.

On 10 April, NCSC-FI updated its OpenSSL advisory with a list of vulnerable software.

Target group of the alert

  • Server maintainers using the Open SSL library

Possible solutions and restrictive measures

  • Upgrade the OpenSSL library in the vulnerable servers in accordance with FICORA's advisory and instructions issued by server software manufacturers.
  • After the update of the OpenSSL library: change the server encryption keys used by the server, e.g. SSL certificates.
  • In case eventual instructions are published, end-users should actively read official notices by network service administrators.
  • It is recommended to consider the use of the Perfect Forward Secrecy (PFS) encryption features. These features help to prevent eventual exploitation of previously stored traffic if the key material ends up in wrong hands.

Further information

NCSC-FI Advisory on OpenSSL

OpenSSL Security Advisory 20140407

https://www.kb.cert.org/vuls/id/720951

http://heartbleed.com/

http://en.wikipedia.org/wiki/Forward_secrecy

Update history


Key words: Information security, Alerts


LinkedIn Print