site logo
News & TrendsIT ManagementIT Strategy
Security

2 min read

Nine Steps to Defeating the Heartbleed Bug

author avatar By: Karen A. Frenkel
Published May 12, 2021

NineSteps to Defeating the Heartbleed Bug

Upgrade OpenSSL to 1.0.1gUpgrade OpenSSL to 1.0.1g

Users unable to immediately upgrade OpenSSL to 1.0.1g can instead recompile OpenSSL with -DOPENSSL_NO_ HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.

Don't Do It YourselfDon't Do It Yourself

Codenomicon warns users that “even though the actual code fix may appear trivial,” use the OpenSSL patch.

Vulnerable Operating SystemsVulnerable Operating Systems

Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4; Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11; CentOS 6.5, OpenSSL 1.0.1e-15; Fedora 18, OpenSSL 1.0.1e-4; OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012); FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013; NetBSD 5.0.2 (OpenSSL 1.0.1e); OpenSUSE 12.2 (OpenSSL 1.0.1c)

How to Determine VulnerabilitiesHow to Determine Vulnerabilities

Accuvant Labs says the following tools can help determine exposure: Use SSL Command-Line and run “openssl version -a” to discover your version information; Qualys SSL Labs provides a free, web-based testing mechanism of any SSL web server on the public Internet.; A standalone Python tool identifies whether a system is vulnerable.

Perfect Forward Security Can HelpPerfect Forward Security Can Help

The server option Perfect Forward Security, which is rare but powerful, should protect past communications from retrospective decryption, according to Codenomicon.

Contact Your VendorsContact Your Vendors

Many third-party products and appliances have implemented OpenSSL, requiring updates. As a result, many workarounds may not be possible without vendor support, says Accuvant, so follow up with your third-party vendors.

Strategic RecommendationsStrategic Recommendations

Accuvant recommends: Regenerating the SSL private key, starting with externally facing systems; Rotating and revoking SSL certificates on externally facing systems; Restarting all web servers to terminate any live session IDs that may have been disclosed during an attack.

Time for New PasswordsTime for New Passwords

Change passwords for all accounts, including: Single sign-on platforms that may have interacted with the host; Appliance web interface logins that may use OpenSSL and Apache; Active directory accounts that may have been used for back-end authentication.

Update Browser ConfigurationsUpdate Browser Configurations

Updating browser configurations will reject revoked certificates. Not all browsers automatically check for revoked certificates, including some versions of Chrome and Internet Explorer, according to Accuvant.

Share
Facebook X LinkedIn
Subscribe to our Newsletter

By registering for this newsletter you agree to our terms & conditions and privacy policy.

Related Articles
article image

Best Password Managers for Business in 2022

 article image

Recent Ransomware Attacks & What We Learned

 article image

End-to-End Encryption: Important Pros and Cons

 article image

Symantec Endpoint Security vs McAfee Total Protection: Compare Top Solutions