Nine Steps to Defeating the Heartbleed Bug

Nine Steps to Defeating the Heartbleed Bug

Upgrade OpenSSL to 1.0.1gUpgrade OpenSSL to 1.0.1g

Users unable to immediately upgrade OpenSSL to 1.0.1g can instead recompile OpenSSL with -DOPENSSL_NO_ HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.

Don't Do It YourselfDon’t Do It Yourself

Codenomicon warns users that “even though the actual code fix may appear trivial,” use the OpenSSL patch.

Vulnerable Operating SystemsVulnerable Operating Systems

Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4; Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11; CentOS 6.5, OpenSSL 1.0.1e-15; Fedora 18, OpenSSL 1.0.1e-4; OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012); FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013; NetBSD 5.0.2 (OpenSSL 1.0.1e); OpenSUSE 12.2 (OpenSSL 1.0.1c)

How to Determine VulnerabilitiesHow to Determine Vulnerabilities

Accuvant Labs says the following tools can help determine exposure: Use SSL Command-Line and run “openssl version -a” to discover your version information; Qualys SSL Labs provides a free, web-based testing mechanism of any SSL web server on the public Internet.; A standalone Python tool identifies whether a system is vulnerable.

Perfect Forward Security Can HelpPerfect Forward Security Can Help

The server option Perfect Forward Security, which is rare but powerful, should protect past communications from retrospective decryption, according to Codenomicon.

Contact Your VendorsContact Your Vendors

Many third-party products and appliances have implemented OpenSSL, requiring updates. As a result, many workarounds may not be possible without vendor support, says Accuvant, so follow up with your third-party vendors.

Strategic RecommendationsStrategic Recommendations

Accuvant recommends: Regenerating the SSL private key, starting with externally facing systems; Rotating and revoking SSL certificates on externally facing systems; Restarting all web servers to terminate any live session IDs that may have been disclosed during an attack.

Time for New PasswordsTime for New Passwords

Change passwords for all accounts, including: Single sign-on platforms that may have interacted with the host; Appliance web interface logins that may use OpenSSL and Apache; Active directory accounts that may have been used for back-end authentication.

Update Browser ConfigurationsUpdate Browser Configurations

Updating browser configurations will reject revoked certificates. Not all browsers automatically check for revoked certificates, including some versions of Chrome and Internet Explorer, according to Accuvant.

Karen A. Frenkel
Karen A. Frenkel
Karen A. Frenkel is a contributor to CIO Insight. She covers cybersecurity topics such as digital transformation, vulnerabilities, phishing, malware, and information governance.

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.

Latest Articles