Heartbleed, One Year After
ust over a year ago, the tech industry and its customers alike were jolted the by revelation of a new and potentially very serious vulnerability in OpenSSL. Dubbed Heartbleed, or CVE-2014-0160, the security bug affects certain versions of OpenSSL that do not properly handle heartbeat extension packets. This could allow attackers to craft packets that trigger a buffer over-read, resulting in the exposure of sensitive information from clients and servers.
Array’s application delivery controllers and secure access gateways use our own proprietary SSL stack, and thus were not affected by Heartbleed. Many competing products are based on OpenSSL, however, and their respective manufacturers raced to implement patches and fixes to protect their customers.
With the 20-20 hindsight afforded by a year’s distance from the Heartbleed announcement, what has changed and what have we learned?
- Heartbleed wasn’t the first, nor the last. OpenSSL had multiple vulnerability announcements prior to Heartbleed, as well as over the last year. For Man-in-the-Middle (CVE-2014-0224), and ClientHello (CVE-2015-0291), once again neither Array’s AG Series SSL VPNs nor APV Series ADCs were vulnerable due to our proprietary SSL stack. For the FREAK vulnerability (CVE-2015-0204), only certain of our products were affected (i.e. end-of-sale ADCs and SSL VPNs, and some functions of our aCelera™ WAN optimization controllers). New software versions for these products were released and are available on the Array Support site to mitigate these vulnerabilities.
- Security is a mindset, not a feature. SSL/TLS itself, as well as other components of application delivery networking, had vulnerability announcements in the last year. However, as an SSL company, Array eats and breathes security. From the beginning, we’ve been fanatical about removing unnecessary features and loopholes in our software to improve both security and performance. This security mindset paid off with the Bash vulnerability (CVE-2014-6271 et al.), for example, because Array APV and AG Series do not expose Bash for remote access.
- Web and application servers may still be vulnerable to Heartbleed. Security industry firm Venafi recently issued a report that found that as of April 2015, nearly three quarters of Global 2000 firms had public-facing systems that remained vulnerable. The primary reason cited by the report was incomplete remediation, typically by failing to replace SSL keys and certificates. Note that adding a Heartbleed-proof application delivery controller (shameless plug) like Array’s APV Series can provide an additional layer of defense while providing load balancing, SSL offloading and other functions that improve server and application performance.
- The nature of malicious attacks has changed. At the dawn of the Internet, it was mostly kiddie scripters and other idle minds. Now, headline-grabbing malicious attacks are perpetrated by organized criminals (or even nation-states) with a goal of compromising personal financial information, sensitive corporate and government information, and even a nation’s infrastructure. It’s all about money now, or causing real damage, and the stakes are very high.
While OpenSSL is but one potential attack vector, Heartbleed and other OpenSSL vulnerabilities point out the new reality for IT professionals: They must remain ever mindful, ever vigilant, and ever diligent to protect the networks they manage against malicious attacks.
Let’s be careful out there.