This is a quick email to bring your attention to a recently publicised OpenSSL security vulnerability known as "Heartbleed". The Common Vulnerabilities and Exposures list has assigned CVE-2014-0160 for this issue.

The vulnerability is currently being exploited in the wild on a small scale.

The vulnerability is a memory disclosure bug. That is, a malicious user can send a trigger packet to an HTTPS service with a vulnerable OpenSSL instance, and the server will respond with the raw memory contents of the HTTP server (such as Apache) or OpenSSL.

Examples include:

1. Revealing the SSL private key, such as .PEM file.
2. Disclosing cached contents of the HTTP/S server, such as username and password sent over SSL to authentication forms.
3. Data stored within the HTTP/S server, such as source code, database connection strings, and information normally only accessible as an authenticated user logged in to the system.
4. Internal memory addressing and security defence mechanisms.

The issue is not only HTTP/S related, but may include other protocols which implement OpenSSL functions (such as SMTP/S, POP3/S etc).  

Am I vulnerable?

Only OpenSSL versions 1.0.1, 1.0.1a through to 1.0.1f are vulnerable. Version 1.0.1 was released March 2012. Version 1.0.1g was released today and is immune (many distributions have not yet released updates, but they should become available within 24 hours). Versions prior to 1.0.1, such as 1.0.0 and the 0.9.x variants do not include this specific vulnerability.

You can check what version you have by running openssl with the version switch:

# openssl version
OpenSSL 1.0.1f 6 Jan 2014 (vulnerable)

This bug is specific to OpenSSL only. Microsoft products may not be affected, however Windows products which utilise OpenSSL may be affected. Most Linux and unix variants utilise OpenSSL. 

It is worth determining what risks this presents to your organisation. As the private key can be compromised and traffic decrypted, consider whether a new private key should be issued and signed by CA (once the server has been patched).

Recently, a client of ours requested some information regarding security considerations should a corporation permit employees to use social media such as Facebook, YouTube, Twitter and other sites.

It is a common problem. There are a few issues here which need to be considered;

1) Yes there are cross-site scripting issues with the websites. But the vulnerabilities are in the websites themselves, so youtube.com, facebook.com and twitter.com are managed by internal staff - if they are vulnerable then everybody is. It is really out of your control. The worms use to propagate, such as the recent Facebook worm which was posting adult images, abuse the [zero-day] vulnerability in the website... eventually the sysadmins discover the worm and close the gap.

2) The web browsers also play a part in exploitability. Internet Explorer 8+ has some mitigations for XSS. Chrome and Firefox also have some anti-XSS measures, but still lack complete protection. NoScript add-ons can be used for Firefox and Chrome to further mitigate attacks. Earlier browsers such as IE6 and older releases of Firefox interpret HTML and JavaScript differently, as well as Content-Type / Content-Disposition which may make a user of IE6 vulnerable to a facebook worm but not say IE7. So up-to-date SOE browsers are a good idea depending on what your patching is like.

3) When using XSS attacks the attacker or worm often needs a location to store their malicious JavaScript. NoScript will deny external locations unless explicitly permitted. But regardless, attackers sometimes use what would be considered trusted websites... so it is possible for someone to obtain a Google Sites account, upload JavaScript, then the browser will fetch the content from *.google.com ... instead of a suspect .cn domain etc.

4) There is the crossdomain.xml policy - http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html. This is dependent on the website.

5) Researchers occasionally uncover browser vulnerabilities which breach the internal browser cross-domain security policy... so the result may be a vulnerability despite proactive protections and hardened configuration.

6) Antivirus vendors such as TrendMicro provide browser add-ons which check and report all URLs accessed by clients world-wide. The Trend Micro Threat Intelligence cloud and other reputable AV companies will notice the worm after a handful of end-users report the malicious action of a site. In this case, a few users will be infected but after the cloud picks up on this, the URL will be blacklisted globally until the threat is eliminated, thus protecting end-users providing you're not the first few visitors to be infected.

7) Obviously if you have a HTTP AV / Content Filter proxy then this may detect some worms.

So to summarise, there are many different preventative measures you can take to avoid infection. Implementing all of the above may significantly reduce your risk, but after all is said and done, if the youtube.com / facebook.com / twitter.com domains are vulnerable, you are waiting on them to provide a fix.

If there is a known, unpatched worm spreading and the media has alerted users like the recent facebook adult photos and dead animals worm, you could temporarily ban access to those sites on the firewall until the worm is cleared to try and protect staff.

Another matter worth considering is whether there is a risk of staff seeing objectionable material such as pornography from the worm and the staff going on stress leave, workers compensation or suing for psychological damages etc etc.
Some organisations try to minimise law suits by implementing strict policies about what to do when someone sends you pornographic material and you unexpectedly open it. There is paper work to complete including who sent the email (they are permanently added to a blacklist), listing all who received the email, any 3rd parties that saw it on your screen, ensuring that email archive / data backup staff store the offending email if needed for court on tape, and email admin staff forcibly deleting copies from staff inboxes by conducting email audits.
​
Hopefully this gives you some insight into corporate considerations prior to blanket access of social media websites for staff.

Introduction
The portal requires users submit a username and password to authenticate. This communication is not encrypted.

Method
Check the HTML source code on the form page, and examine whether the FORM ACTION is GET/POST to a HTTPS:// URI.
​
Recommendation
1) Enable SSL and disable HTTP for the portal
2) Use two-factor tokens (one time password) for strong authentication.
3) Modify the HTML source to ensure the data is POST'ed to a HTTPS URL.