OpenSSL Heartbleed Vulnerability
Date: 11 April 2014
The purpose of this Alert is to bring attention to a vulnerability in OpenSSL which can be used to expose private data to an attacker.
CCIRC is aware of a recently disclosed vulnerability in the heartbeat protocol implementation of the Transport Layer Security (TLS) and Datagram TLS (DTLS) of OpenSSL. This vulnerability could be remotely exploited by attackers, without user interaction, to repeatedly intercept and access secure traffic resulting in potential exposure of credentials, including passwords, and secret encryption keys. This flaw allows an attacker to retrieve private data in memory from vulnerable applications in chunks of 64 kb at a time. An attacker can leverage this vulnerability repeatedly as required to obtain the private data.
CVE Reference: CVE-2014-0160
Affected versions: OpenSSL versions from 1.0.1 to 1.0.1f and 1.0.2-beta. The vulnerability has been fixed in OpenSSL 1.0.1g, but the 1.0.2-beta has not yet been patched.
Many vendors have begun to issue patches. Please consult your vendor's website for information addressing this vulnerability. Listed below is a portion of vendors that have disclosed the vulnerability. For the complete list, please use the following references:
Vulnerable Linux and BSD distributions include:
Red Hat Enterprise Linux 6.5 (OpenSSL 1.0.1e)
Debian Wheezy (fixed in version 1.0.1e-2+deb7u5)
Ubuntu 12.04 LTS, 13.04 and 13.10
Gentoo Linux Slackware 14.0, 14.1 and current
OpenBSD 5.3 ja 5.4
FreeBSD, versions 10.x
NetBSD, versions 6.1 - 6.1.3 ja 6.0 - 6.0.4
Mandriva Business Server 1
Software using a vulnerable version of OpenSSL includes:
Cisco AnyConnect Secure Mobility Client for iOS
Cisco Desktop Collaboration Experience DX650 C
isco Unified 7800 series IP Phones
Cisco Unified 8961 IP Phone
Cisco Unified 9951 IP Phone
Cisco Unified 9971 IP Phone
Cisco TelePresence Video Communication Server (VCS)
Cisco IOS XECisco UCS B-Series (Blade) Servers
Cisco UCS C-Series (Stand alone Rack) Servers
Cisco Unified Communication Manager (UCM) 10.0
FortiGate FortiOS 5.0.5 ja 5.0.6
Junos OS 13.3R1
Juniper Odyssey client 5.6r5 and newer
Juniper SSL VPN (IVEOS) 7.4r1 and newer
Juniper SSL VPN (IVEOS) 8.0r1 and newer
Juniper UAC 4.4r1 and newer
Juniper UAC 5.0r1 and newer
Juniper Junos Pulse (Desktop) 5.0r1 and newer
Juniper Junos Pulse (Desktop) 4.0r5 and newer
Juniper Network Connect (windows) versions 7.4R5 - 7.4R9.1 & 8.0R1 to 8.0R3.1
Juniper Junos Pulse (Mobile) on Android 4.2R1 and newer
Juniper Junos Pulse (Mobile) on iOS 4.2R1
F5 BIG-IP LTM versions 11.5.0 - 11.5.1
F5 BIG-IP AAM versions 11.5.0 - 11.5.1
F5 BIG-IP AFM versions 11.5.0 - 11.5.1
F5 BIG-IP Analytics versions 11.5.0 - 11.5.1
F5 BIG-IP APM versions 11.5.0 - 11.5.1
F5 BIG-IP ASM versions 11.5.0 - 11.5.1
F5 BIG-IP GTM versions 11.5.0 - 11.5.1
F5 BIG-IP Link Controller 11.5.0 - 11.5.1
F5 BIG-IP PEM versions 11.5.0 - 11.5.1
F5 BIG-IP PSM versions 11.5.0 - 11.5.1
F5 BIG-IP Edge Clients for Apple iOS versions 2.0.0 - 2.0.1 ja 1.0.5
F5 BIG-IP Edge Clients for Linux versions 7080 - 7101
F5 BIG-IP Edge Clients for MAC OS X versions 7080 - 7101 ja 6035 - 7071
F5 BIG-IP Edge Clients for Windows versions 7080 - 7101 ja 6035 - 7071
OpenVPN 2.3-rc2-I001 - 2.3.2-I003
Aruba ArubaOS versions 6.3.x, 6.4.x
Aruba ClearPass versions 6.1.x, 6.2.x, 6.3.x
Viscosity before version 1.4.8
WatchGuard XTM ja XCS before version 11.8.3 CSP
Blue Coat Content Analysis System versions 22.214.171.124 - 126.96.36.199
Blue Coat Malware Analysis Appliance version 1.1.1
Blue Coat ProxyAV versions 188.8.131.52 - 184.108.40.206
Blue Coat ProxySG versions 220.127.116.11 - 18.104.22.168
Blue Coat SSL Visibility 3.7.0 Jolla Android 4.1.1
CCIRC recommends that system administrators test and deploy the vendor released updates to affected platforms accordingly.
- Those who are unable to immediately upgrade can consider disabling the affected components. This can be done by compiling OpenSSL with the configuration option - ‘DNO_OPENSSL_HEARTBEATS'.
- Due to the inability to confirm if a server has been exploited, system administrators should consider revoking their certificates/private keys and have new ones issued.
- Consider clearing cached sessions.
- CCIRC recommends that users consider changing passwords for their accounts, but only after the vulnerability has been addressed and confirmed by the web site owner. Changing passwords before the vulnerability has been addressed may still leave users vulnerable. *Users are encouraged to monitor their online accounts including email, banking and social media for suspicious activity and be aware of any emails or online forms requesting personal information.
- Users are encouraged to familiarize themselves on how to spot phishing emails. Attackers have been known to use high profile events such as this to send phishing emails targeting personal information. Consult Public Safety's Get Cyber Safe and the Canadian Anti-Fraud Center for more information on how to spot a phishing email.
CCIRC's AV14-017 OpenSSL Vulnerability
US-CERT Alert (TA14-098A) OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160) http://www.us-cert.gov/ncas/alerts/TA14-098A
ICS-CERT Alert on OpenSSL Vulnerability
NCSC-FI Advisory on OpenSSL
CERT-UK Heartbleed Bug
Canadian Anti-Fraud Centre
Public Safety's Get Cyber Safe
‘Heartbleed' Bug Exposes Passwords, Web Site Encryption Keys http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: