What is "Heartbleed"?

"Heartbleed" is the common name being used to refer to a critical security vulnerability found in the OpenSSL TLS Heartbeat system. OpenSSL is a very popular encryption library in widespread use across the Internet. It is considered to be a critical piece of software infrastructure to countless organizations worldwide. It is the library in use on most Open Source systems to enable encryption, such as with HTTPS.

The nature of the vulnerability allowed anyone to retrieve chunks of system memory from a web server with an affected OpenSSL package. This did not require any special network access, such as is the case with a "Man In The Middle" attack which would involve intercepting network packets. Rather this particular vulnerability is considered a major security threat because anyone from anywhere in the world could exploit a vulnerable server to retrieve sensitive information with no special access requirements, and no logs kept of such traffic (logging this type of traffic would be a rare exception under most regular operations).

This makes the Heartbleed vulnerability a much more severe exploit than most. Security updates for potential vulnerabilities are released on a very regular basis (ASAP), but for the most part these vulnerabilities require some level of access into the system to begin with and use that access to gain additional privileges (called "privilege escalation"). Heartbleed is different because anyone could anonymously retrieve arbitrary data from a vulnerable web server; No special access is required. To further complicate this matter, the data exposed via this attack could have included anything running on the system, including highly sensitive information such as user passwords and private encryption keys.

Is OpenConcept Secure?

OpenConcept performs regular security updates on all our servers as well as numerous client-run servers. We perform security updates on our servers at a minimum interval of weekly, with critical infrastructure such as Apache, SSL, SSH, or any other network-enabled service updates applied ASAP, as announced via security mailing lists. Under normal day-to-day conditions we simply perform these updates behind the scenes, as notifications about each security update are unlikely to be helpful to our clients and the impact is usually minimal-to-none.

Due to the widespread and critical nature of the recent OpenSSL TLS Heartbleed Vulnerability, we feel that this time additional information is necessary.

All OpenConcept servers use either Ubuntu Linux or its parent distrubution Debian Linux. Both distributions alerted their users that updated OpenSSL packages were available to address this vulnerability on Monday, April 7, 2014.

The Ubuntu Security Notice was assigned # USN-2165-1
The Debian Security Alert was assigned # DSA-2896

OpenConcept applied these updates immediately on all applicable servers. Encryption key pairs were regenerated. Many of our servers were never vulnerable to this exploit and no action was required.

We have contacted our clients who may have been affected by this issue with instructions.

For more information on this exploit, please visit
http://heartbleed.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160