Published: April 14, 2014
Last Update: April 14, 2014 4:00 pm
A major new web security vulnerability was disclosed by security researchers on Monday, April 7, 2014. At the time of disclosure, the vulnerability dubbed “Heartbleed” affected a large portion of websites on the Internet that use certain versions of the OpenSSL software package to encrypt web traffic (pages that start with https).
The vulnerability could enable remote attackers to steal sensitive information such as passwords from a vulnerable server’s memory. In conjunction with the public disclosure, OpenSSL.org released updated source code to fix the vulnerability; however, updated software packages were not readily available from operating system (OS) vendors until the following day.
Since the afternoon of Monday, April 7, 2014, UW-IT staff and other University IT professionals including departmental IT support staff, UW Medicine IT Services staff, and the members of the UW Office of the CISO have been working to identify and remediate servers affected by the vulnerability.
The UW Weblogin service was a major area of concern, since the servers that support it see frequent use by members of the UW community who enter UW NetIDs and passwords to authenticate to access online services. At the time the Heartbleed vulnerability was publicly disclosed, the Weblogin servers were running a vulnerable version of OpenSSL. They were all updated and restarted as soon as updated software packages were released by the operating system vendor, and are now no longer vulnerable. Other critical servers managed by UW-IT were also remediated in the same way.
Online service providers, cloud providers, and other server administrators around the world have been assessing their systems in order to fix vulnerable versions of OpenSSL.
Be on the alert: It is anticipated that phishers and other cybercriminals will try to capitalize on the broad attention this topic has gathered and will likely send out emails with links to fake Weblogin pages or other means to try to collect your password. Do not click on links in emails that direct you to change your UW NetID password. Instead, go to the UW-IT IT Connect webpage and navigate to the appropriate page if you need to change your password.
Make sure that any “client side” software you are using is up to date and fully patched. This includes software that commonly uses SSL/TLS encryption such as web browsers, email clients, instant messaging clients, productivity software, and operating systems.
Many software companies have released updates for their products in response to Heartbleed. Printers, copiers, and other network connected devices may also use OpenSSL, and may be vulnerable. If you have questions about a specific device, contact the manufacturer.
It is important to note that not all web servers on the Internet use OpenSSL, and not all versions of OpenSSL in use are vulnerable. Many popular websites that were vulnerable at the time of disclosure installed fixes on their systems shortly thereafter. Check the FAQ section below for additional information.
UW-IT staff have analyzed available log data, as well as examined usage patterns, and we have found no evidence to suggest that passwords were actually captured systematically by malicious actors. Therefore, a mass password change for all UW NetIDs is not recommended at this time. Monitoring for evidence of account abuse will continue, and updates will be provided via this page and other means if conditions change.
As of the publishing date of this page, there has been no evidence of large scale theft of UW NetID passwords by malicious actors as a result of this vulnerability, but it is important to remember that your UW NetID password protects access to your personal data, as well as the University data for which you are responsible.
If you are concerned about the security of your UW NetID password, you should change it. It is safe to do so using the UW-IT “Manage your UW NetID” page.
If you re-used your UW NetID password for any other non-UW accounts, websites, or services, you should change your UW NetID password. The use of the same password for multiple unrelated accounts is a major contributor to password compromise, and therefore is strongly discouraged.
If the website was using a vulnerable version of OpenSSL, consider changing your password. However, you will not want to do so until you know for sure the website operator has fixed the problem by updating OpenSSL on their servers.
Unfortunately, there is no really easy way to determine this. Various Heartbleed "Test Sites” have sprung up, but depending on the specific test methodology a given site employs, results may contain false positives or false negatives, and therefore provide a false sense of security.
Several blogs also started lists of poplar websites - identifying them as “safe” or “unsafe”- with recommendations on whether users should change their passwords or not. A cursory review of the examples listed did yield some false positives, and therefore cannot be recommended as an authoritative source.
The best way to make your own determination is to look for a website operator’s statement that the issue has been addressed and that the website is no longer vulnerable, or never was vulnerable in the first place. If you cannot easily find such a statement posted anywhere, don’t hesitate to contact the website operator to ask how they have addressed the Heartbleed vulnerability.
OpenSSL 1.0.1 through 1.0.1f (inclusive) ARE vulnerable
OpenSSL 1.0.2-beta1 IS vulnerable
And just for reference:
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
The vulnerability was introduced into the wild with the OpenSSL release 1.0.1 on March 14, 2012.
According to research published by the Internet Services Company Netcraft, on the day the Heartbleed vulnerability was publicly disclosed, about half a million websites were affected worldwide, or about 17.5% of websites on the Internet supporting https. It also affects email servers and clients, web browsers, chat services and clients, and other client software that uses the vulnerable versions of OpenSSL. Other network connected devices such as printers may also be vulnerable.
SSL (Secure Socket Layer) and TLS (Transport Layer Security) are cryptographic protocols designed to provide communication security over the Internet. OpenSSL is a popular open source software package that allows implementation of SSL and TLS for web servers such as Apache.
At the center of the Heartbleed vulnerability is OpenSSL’s implementation of a function called the “TLS Heartbeat extension” (RFC 6520). It provides a keep-alive function that allows a connection between a client and a server to stay open for extended periods of inactivity. When implemented correctly, the client sends a payload of arbitrary data to the server, which sends back an exact copy of that data to confirm everything is OK.
Vulnerable versions of OpenSSL 1.0.1 fail to check bounds of a “memcpy()” call, and allow unsanitized user input for the payload length parameter. A malicious attacker can trick a vulnerable version of OpenSSL by sending a request claiming to be 64K in size, which actually contains a much smaller payload size. Under those circumstances OpenSSL will fill up the discrepancy between the claimed payload and the actual payload sent by copying data from memory, which can contain sensitive information.
Under certain circumstances, a malicious attacker may be able to steal user passwords or even a web server’s private cryptographic key using this vulnerability. Once an attacker has the private key for a particular server and website, the key can be used to decrypt captured traffic previously sent to and from the server. It could also be used to facilitate “Man In The Middle” attacks if an attacker can manage to inject himself between the user and the webserver for which he managed to steal the private key.
This threat exists up until the point where the server gets updated and has the compromised private key removed. It is the main reason why server administrators should regenerate private keys for servers that were running vulnerable versions of OpenSSL.
A very detailed technical write-up can be found at “The Register.”
You can find more information about the vulnerability and mitigation at the following links:
For questions, please contact firstname.lastname@example.org or email@example.com