Recently I have heard a few security terms quite frequently like Heartbleed bug, SSL, TLS and OpenSSL. Well, what are these? In simple words,
SSL: Secure Socket Layer protocol is used to encrypt data on the Internet between clients and servers using different encryption techniques. The encryption is done for the purpose of data integrity and prot
ection.
TLS: Transport Layer Security Protocol is same as SSL; SSL after version 3.0 excellent as TLS 1.0 which is SSL v 3.1 J, so both protocols are used interchangeably! That’s why we can say as SSL/TLS. Both protocol stacks are continuously updated.
OpenSSL: OpenSSL is nothing more than C language code through which all the SSL/TLS protocols are implemented! The main motivation behind OpenSSL was an implementation of above-mentioned security protocols to be used without any cost, for encryption and data protection on the internet. To know more about this open source community driven project, please visit: https://www.openssl.org/about/
So what is Heartbleed bug then? In simplest terms, from http://heartbleed.com/ :
“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names, and passwords of the users and the real content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
This bug was independently discovered by a team of security engineers (Riku, Antti, and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. Codenomicon team found a heartbleed bug while improving the SafeGuard feature in Codenomicon’s Defensics security testing tools and reported this bug to the NCSC-FI for vulnerability coordination and reporting to OpenSSL team (Source http://heartbleed.com/).
Versions of OpenSSL affected from Heartbleed bug are:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
How about operating systems?
Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
- Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
- Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
- CentOS 6.5, OpenSSL 1.0.1e-15
- Fedora 18, OpenSSL 1.0.1e-4
- OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
- FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013
- NetBSD 5.0.2 (OpenSSL 1.0.1e)
- OpenSUSE 12.2 (OpenSSL 1.0.1c)
Operating system distribution with versions that is not vulnerable:
- Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
- SUSE Linux Enterprise Server
- FreeBSD 8.4 – OpenSSL 0.9.8y 5 Feb 2013
- FreeBSD 9.2 – OpenSSL 0.9.8y 5 Feb 2013
- FreeBSD 10.0p1 – OpenSSL 1.0.1g (At 8 Apr 18:27:46 2014 UTC)
- FreeBSD Ports – OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
The purpose of above information was to give a detailed cheat sheet to VoIP Engineers about the points to keep in check while implementing telephony solutions. OpenSSL is widely used in open source telephony solutions for different encryption purposes. So if you have deployed your VoIP platform on some servers which are having affected the version of the OpenSSL, then you should:
- Immediately update the version of the SSL to bug fixed version
- Update your all credentials, from server credentials to user credentials
- Generate new Keys, Certificates on your server
Well for small organizations, securing their servers is an important part to avoid toll fraud and other abuses of the services, while for big corporations communication integrity and security is also a big concern. We should take proper measures while implementing Telephony solutions, to protect ourselves from frustrations and monetary losses! In the post-Edward Snowden era Communication, Industry Experts are becoming more and more concerned about Information Security, whether this information is in static form or in moving form! I hope above mentioned guidelines will be helpful in protecting systems from Heartbleed bug and making them a little more secure!
Some good resources to take a look:
- http://tools.ietf.org/html/draft-niccolini-speermint-voipthreats-02#section-3.1
- http://heartbleed.com/
- http://www.sans.org/reading-room/whitepapers/awareness/security-concerns-open-source-software-enterprise-requirements-1305
- http://nerdvittles.com/?p=580
Please feel free to let me know your feedback or queries through your comments!
