As previously communicated, a serious vulnerability called the "Heartbleed Bug" has been detected in OpenSSL, a commonly used SSL/TLS technology that encrypts data sent via the Internet. This vulnerability is found in servers and server operating systems. The vulnerability allows an attacker to request blocks of server process memory which may contain secrets such as the x509 private key or user credentials or session keys, etc. An attacker is able to obtain this information remotely and without detection. Using this information, an attacker may perform MITM attacks, remote session hijacking, or credential capture for later use.
We ask that you evaluate your environment to determine whether you have vulnerable systems. As this is a bug in OpenSSL, the vulnerability is not limited to HTTPS servers (such as Apache and nginx) but also to other services such as IMAPS/SMTPS server and VPN/SSL servers. Additionally, the vulnerability may be present on virtual machines, on embedded appliances, or bundled within other software. For example, the OpenVPN client for Windows bundles the OpenSSL library. Environment scans should not be limited to HTTPS only.
Vulnerability Assessment Tools
You may wish to consider using tools such as the following to evaluate the existence of the vulnerability on the server:
- http://filippo.io/Heartbleed (web-based tool; which is a deployment of https://github.com/FiloSottile/Heartbleed; supports checking https, pop3, imap, smtp and ftp, the latter via starttls)
- https://www.ssllabs.com/ssltest/ (web-based tool; supports checking https; performs many other SSL checks, so may provide you with a negative result for another (valid!) reason)
- https://gist.github.com/takeshixx/10107280 (command line utility with starttls support)
In order to assist you with your environment scans, UBC IT is evaluating a utility developed by a sister university. As this tool is able to scan /16 netblocks in minutes, it is our preferred approach over Nessus. We will let you know when it's ready and when we might begin a scan. Results will be made available to the subnet owners identified in Transmogrifier.
Patching
Once you identify a vulnerable service, patch it using the packages your operating system vendor has provided, reboot the system, reissue the x509 certificate it was using (based on a new private key) and restart the service. Some links to patched operating system versions are shown below. Since this vulnerability has existed in the OpenSSL code base for about 2 years, it's possible that services have been compromised some time ago. An abudance of caution would suggest advising users to change their credentials on such services once the service is verified not to be using a vulnerable version of OpenSSL.
Debian: https://www.debian.org/security/2014/dsa-2896
RedHat: https://rhn.redhat.com/errata/RHSA-2014-0376.html
Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/
Many x509 certificate vendors are offering certificate reissuance. If yours isn't please contact it.security@ubc.ca to discuss options regarding switching to Thawte.
If you need assistance convincing business stakeholders of the need to address the vulnerability, please contact it.security@ubc.ca and we can help with the conversation.
Sample Communication Messages
Finally, you may wish to use some of the material we have been generating for the UBC community in your own communications with your units:
"A serious security risk called the "Heartbleed Bug" has been detected on the Internet which can put your private information at risk. UBC is treating this bug very seriously and is in the process of verifying whether any UBC systems are impacted, and immediately fixing any so identified. Information transmitted to a UBC website, or any other internet site affected with this bug such as a log-on page for online banking, may become available to a third party. It takes minimal effort to intercept and the attack is undetectable. The Heartbleed bug has the potential to expose your private data, including usernames, passwords, credit card numbers, and emails.
UBC websites that may use the affected technology, referred to as OpenSSL, can be identified by the padlock symbol in the browser address bar. You can use the following tool: http://filippo.io/Heartbleed/ to check if any UBC web site you wish to use is safe. Due to the nature of this bug, it is difficult to know whether you have been exposed to a site affected by it already. If you use open wi-fi locations to connect through the internet, such as internet cafes, you are generally at higher risk for being exposed to more security attacks. If you regularly use web sites requiring your private information, such as credit card numbers, we advise you to verify with the site owners that they are sure the site is not affected by the Heartbleed Bug. If you cannot obtain such a verification we suggest you use the tool whose link we provided above to check for yourself. If you are not sure either way that the site is clean, we suggest that you delay using it until the site owner has verified that it is not affected.
Information about this security risk and steps being taken to secure UBC systems can be found at http://it.ubc.ca."
