Various news reports have confirmed that many web servers are still vulnerable to the Heartbleed bug, which effects Apache servers running SSL. The bug was first reported early in April of this year. Oracle recently released a list of products affected by the Heartbleed OpenSSL vulnerability and hackers appear to be in high gear to exploit Heartbleed.
The scope of the problem has been exposed by a quarterly report for Q2 2014 by Solutionary’s Security Expert Research Team (SERT), concluding that many servers are still vulnerable to the Heartbleed bug. The report took a special look at the heartbleed bug identified earlier this year that could allow a hacker to intercept communication between a browser and a web server using OpenSSL.
SERT found that it was very easy to exploit and that a surprising large number of servers are still vulnerable. As of 06/21/2014, 2 months after the vulnerability was identified and the information necessary to address the problem was made available, 309,147 servers are still vulnerable to Heartbleed.
Who is Vulnerable?
This issue is only a concern if you have installed OpenSSL 1.0.1 through 1.0.1f and OpenSSL 1.0.2-beta. All other SSL implementations and digital certificate users are unaffected, including all users of Microsoft’s IIS web server.
If you are not sure if your affected, Comodo has updated its SSL analysis tool for you to check. Simply enter your address on the following page:
Note: Only enter domains that are using SSL. If this site is busy, you can also use https://sslanalyzer.comodoca.com/
If you are vulnerable, Comodo will work with you to help ensure that your systems are updated with the fixed version of OpenSSL. We will assist you in quickly and easily acquiring a certificate reissuance that may be required as a result of patching OpenSSL. Call +1 888-256-2608 or Email: Enterprisesolutions@comodo.com to speak to an Enterprise SSL expert.
What is the Vulnerability?
A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension. This flaw allows a remote attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time.
Discovery of Heartbleed
The Heartbleed bug was uncovered by a group of security engineers from Codenomicon and Neel Mahta from Google Security. On April 7, 2014, they announced vulnerability in the popular OpenSSL cryptographic library to the Internet community. Aptly labeled as the Heartbleed bug, this vulnerability affects OpenSSL versions 1.0.1 through 1.0.1f (inclusive).
It is important to understand that Heartbleed bug is not a flaw in the SSL or TLS protocols; rather, it is a flaw in the OpenSSL implementation of the TLS/DTLS heartbeat functionality. The flaw is not related or introduced by publicly trusted certificates and is instead a problem with server software.
To Upgrade Your Server
Check your package manager for an updated OpenSSL package and install it. If you do not have an updated OpenSSL package, contact your Service Provider to obtain the latest version of OpenSSL and install it.
Only use these workarounds if you cannot upgrade to the latest version of OpenSSL. If you are unable to upgrade to the latest OpenSSL version, do one of the following:
- Rollback to OpenSSL version 1.0.0 or earlier.
- Recompile OpenSSL with the OPENSSL_NO_HEARTBEATS flag.
To Rekey, Reissue, and Revoke Your Certificates
First, you need to rekey and reissue your certificates, which you do by creating a new key pair and Certificate Signing Request (CSR). To replace your certificate, do the following:
1. Log in to your account via https://secure.comodo.com
2. Click on SSL Certificates
3. Find the certificate you would like to replace/re-issue and click Replace
4. Follow all on screen instructions.
Once you have successfully replaced your new certificate, you need to revoke the old one. To do this, log into your account as before, click ‘SSL certificate’, locate the *old* certificate order and click the ‘Revoke’ link.
Again, don’t hesitate to contact firstname.lastname@example.org if you need help with this.