How to stay protected for Heartbleed and other OpenSSL flaws

The CCS Injection Vulnerability

The CCS Injection Vulnerability was discovered in June 2014. According to a security advisory issued by Zimbra "an attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server".

The important thing to note about the CCS Injection Vulnerability is that is requires both the server and the client to be running versions of OpenSSL that have not been patched against the vulnerability. So, if either party involved in the SSL/TLS-encrypted data exchange has been patched against the vulnerability then the flaw cannot be exploited.

In that sense, while a significant issue, its impact is not likely to be a great as Heartbleed's.

How do you know if you're Vulnerable?

Any system that is using an unpatched version of OpenSSL is vulnerable to Heartbleed and the CCS Injection Vulnerability.

A fix for Heartbleed was issued on the same day that it was made public. The patched version is designated 1.0.1g.

One of the challenges that you're faced with when looking at Heartbleed and the CCS Injection Vulnerability is understanding where your points of weakness really are.

Internal Systems

If you have developed or deployed your own systems using OpenSSL then you need to patch them. Third party applications and some operating systems are also vulnerable.

For example, Red Hat Enterprise Linux was affected but patches were issued by Red Hat. Similarly, some versions of SUSE Linux were also affected and have been patched.

Read more: The Next Heartbleed: 5 security vulnerabilities to watch

Cloud Services

As well as reviewing your internal systems, it's critical that you check all of your key service providers.

By now, most major SaaS providers have updated their systems. But carrying out thorough due diligence means checking more than just paperwork.

You should carry out your own testing of external providers.

There's a handy detection tool, created by Trend Micro, so you can test your service providers for Heartbleed vulnerability.

End Users

Although end user systems weren't the primary focus of Heartbleed that doesn't mean they weren't vulnerable. Systems running Windows aren’t affected as they don’t use OpenSSL. Apple's OS X was similarly unaffected but for different reasons. Although OS X, which is based on Unix, uses OpenSSL, it uses version 0.9.8 rather than the vulnerable 1.0.1.

Android devices running 4.1.1 carry the Heartbleed flaw unless they've been specifically patched. Lacoon Mobile security has produced a video showing what it looks like when Heartbleed is exploited on an affected Android device.

Tags SSLzimbraTLSsuse linuxredhatOpenSSLHeartbleedexploitedCCS Injection vulnerabilityNSS (Network Security Services)CVE-2014-0160Common vulnerabilities

Show Comments