Specific recommendations

Transcription

1

2 Background OpenSSL is an open source project which provides a Secure Socket Layer (SSL) V2/V3 and Transport Layer Security (TLS) V1 implementation along with a general purpose cryptographic library. It is widely deployed and utilised. Details Researchers from Google security and Codenomicon have recently discovered a vulnerability in OpenSSL s Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols. Details of this vulnerability were publicly released on 8 April 2014 and numerous proof of concept code samples for exploiting the vulnerability followed. The range of services which may be impacted by proof of concept code is also increasing. The vulnerability lies in the implementation of the Heartbeat extension (RFC6520)[1] known as Heartbleed. By sending specially crafted heartbeat requests a malicious actor can obtain up to 64KB segments stored in memory on the affected device. While each request is limited to 64KB it is possible to use repeated requests to retrieve more 64KB segments. The versions of OpenSSL affected are up to 1.0.1f and beta1 and the vulnerability has been assigned CVE [2]. OpenSSL have released version 1.0.1g which addresses this vulnerability. Proof of concept code exists which can exploit this vulnerability from a malicious client. Proof of concept code also exists where a malicious server can exploit this vulnerability against a vulnerable client. Compromised hosts may show little or no evidence in logs of compromise. Signatures have been released for multiple IDS/IPS systems which may identify Heartbleed traffic. A wide range of services and appliances could potentially use the vulnerable OpenSSL version. This vulnerability is not limited to web servers or https services. For example, proof of concept code exists for StartTLS (used to protect server communications). Lists of vulnerable products are available such as [3, 4]. These should not be considered to be comprehensive and users should liaise with their vendors to ensure that they are

3 aware of impact to deployed products. The range of products that could potentially be affected includes network appliances and other infrastructure equipment. When assessing the potential impact of this event, users need to consider their own circumstances. SSL/TLS termination points will have an effect on the potential information which may have been or could be exposed as a result of this vulnerability. This will also impact on what external stakeholders might be impacted and users will need to carefully consider what they may need to communicate to external parties. While there is presently no reliable indicator of compromise signatures of potential attack traffic are emerging. Where users have historic network traffic captures available they may wish to consider the use of available signatures to process historic traffic. This may give some indication of previous compromise. The situation regarding this vulnerability is very fluid with its exact scope and the products affected still being assessed. Users are advised to closely monitor vendor information and be prepared to act to reduce their vulnerability.

4 Specific recommendations CERT Australia suggests users consider the following specific mitigations to protect against this cyber security risk: Where possible, users should update OpenSSL to version 1.0.1g as soon as possible. Where an upgrade is not possible, it may be possible to instead recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag. Any software that uses OpenSSL would also need to be restarted. For web services, users could consider the use of a reverse proxy service or similar service to act as an SSL end point between vulnerable servers and the internet. Once the OpenSSL implementation has been made safe users should consider generating new keys, obtaining new certificates and revoking previous certificates and keys. Passwords used to access the affected service should be reset only after previous steps have been completed. Cached cookies and session identifiers should be purged from browsers. It may not be immediately clear whether a particular system uses a vulnerable version of the software and users should review systems to obtain visibility on the use of OpenSSL as a third party component in other systems. Many vendors are moving to patch vulnerable systems. Users should liaise with vendors to apply patches where available. Detection signatures are becoming available for IDS/IPS systems. Users check with their particular vendor and should consider use of these where possible.

5 General recommendations CERT Australia suggests users consider the following general mitigations to protect against this and other cyber security risks: Take measures to minimise network exposure for all control system devices. Critical devices should not be directly exposed to the internet. Locate control system networks and remote devices behind firewalls and isolate them from the business network. When remote access is required, use secure methods such as Virtual Private Networks (VPNs) with two factor authentication. Monitor intrusion detection and/or prevention systems, user logs and server logs for suspicious behaviour. Use defence-in-depth methods in system design to restrict and control access to individual products and control networks. Use application white-listing to only allow specifically authorised applications to operate on networks. This mitigation helps prevent malicious software or unauthorised applications from executing. Ensure applications and operating systems are kept up-to-date with the latest software patches. Ensure users are restricted from, or are administratively prohibited from installing unauthorised software and browsing the internet with administrator privileges. Remove, disable, or rename any default system accounts wherever possible. Implement account lockout policies to reduce the risk from brute forcing attempts. Enforce strong passphrase policies to reduce the risk from brute forcing attempts. Monitor the creation of administrator level accounts by third-party vendors. Ensure computer systems are running antivirus software with the latest antivirus signatures. For other mitigation please refer to the Strategies to mitigate targeted electronic intrusions publication. [5] Links [1] [2] [3] 51&SearchOrder=4 [4] [5]

6 Feedback CERT Australia (the CERT) welcomes any feedback you may have with regard to this publication and/or the services we provide or Note: information sent to the above address will be in the clear and not secure. Secure communication channels for sensitive information are available on request. Report an incident Reporting cyber incidents allows us to form a more accurate view of cyber security threats and make sure that businesses receive the right help and advice. All information provided to us is held in the strictest confidence. Secure communication channels for sensitive information are available on request. Business partners who suspect they have been the victim of cyber crime are encouraged to report it to the Australian Federal Police. Cyber crime involves the unauthorised access to or impairment of computer systems and is likely to constitute an offence under the Commonwealth s Criminal Code Act 1995 and/or state and territory criminal laws. About us The CERT is the national computer emergency response team. We are the single point of contact for cyber security issues affecting major Australian businesses. The CERT is part of the Federal Attorney-General s Department, with offices in Canberra and Brisbane. We also work in the Cyber Security Operations Centre, sharing information and working closely with the Australian Security Intelligence Organisation (ASIO), the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD). In addition, we work closely and share information with our international counterparts. This means we are very well connected and informed, so we are best placed to help businesses protect themselves from cyber attacks.

7