An edited version of this post originally appeared in GovernmentHealthIT, a HiMSS Media affiliate afer the CVE-2014-0160 bug was publically disclosed. Also quoted in FierceHealthIT’s coverage of the bug by Dan Bowman on April 8, 2014.
Monday, as the greater health IT collective was preparing for the Windows XP end of life date, and accompanying zero-day attacks, another major security exploit hit the market without warning. CVE-2014-0160, or Heartbleed (due to it exploiting a feature called heartbeat) nicknamed by the security firm who first publicly disclosed it, is a serious vulnerability – a simple missing bounds check – in OpenSSL cryptographic software library. SSL/TLS provides communication security and privacy via X.509 certificates over the internet for web applications and some virtual private networks.
The vulnerability can be exploited to intercept private keys, usernames, passwords and other sensitive information such as financial and health information. Heartbleed allows an attacker to read up to 64KB of memory, and according to the infosec researchers:
“Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, usernames and passwords, instant messages, emails and business critical documents and communication.”
Furthermore, already available scripts can hijack session ids en masse allowing unapproved users to fake credentials, access the user account and data, and change settings. Depending on how the information is accessed, organizations may or may not be able to detect the breach. It is likely that this exploit is over 2 years old and Google reportedly first discovered it sometime last week. The bug itself was effectively a minor coding typo with widespread ramifications.
OpenSSL is the most common website security technology and is relied on by over 66% of the internet for secure data transfer. Along with Apache and Linux, it is one of several opensource cornerstone tools that ‘make’ the internet as we know it possible. Mustafa Al-Bassam, a security expert from past LulzSec notoriety, has compiled a rough list of vulnerable websites from the Alexa top 10k list, including companies such as Yahoo, StackOverflow, Eventbright, UCLA, FBI and more. While this is a good start, it’s far from comprehensive, as Facebook subdomain checks prove. Additionally, there are several tools available for those interested in checking the SSL vulnerability of a specific site, but without scripting knowledge.
Particularly interesting is that this is the first bug disclosure that came pre-packaged its own marketing campaign, complete with dedicated web presence, graphic design and it’s own favicon. By doing so, the communication barrier was completely removed from any business plan prioritization discussions. Instead of the burden of proof being on the engineer to convince management that bug CVE-2014-0160 (which they heard about on some listserve or buried deep in a forum) is indeed a significant risk, Heartbleed was now a real thing that warranted real attention.
A cursory review in the health IT sectored showed a number of web-based EHR platforms vulnerable, as are some state health insurance exchange platforms and other possible health information exchange platforms. Those organizations have been notified privately so they may responsibly address the exploit. This particular bug is not an issue with SSL, but rather a bug in the OpenSSL implementation of TLS/DTLS, and was accidentally introduced in OpenSSL version 1.0.1 in March 2012.
SSL problems are not new. Between Apple’s “goto fail” issue last month, the ongoing GnuTLS problems, and now Monday’s discovery, it’s safe to say the nearly all modern internet connected users have had their data compromised recently. Consumers should limit communications and avoid logging into any web platform until SSL integrity can be confirmed by the organization. At minimum, change all passwords, but ensure this happens after a patch or fix. Enable two-factor authorization where available and back up important web data files. Additionally, deleting any extra or expired online credit card data is advised, and just good practice.
Vendors should immediately assess their SSL security implementations for Heartbleed vulnerabilities, and update OpenSSL as applicable. Remediation should also include an evaluation of SSL configuration for web and mail services.Since there’s no way to tell whether a server has been exploited, vendors will need to assume that it is. The safe move is to revoke existing certificates and get a new one.
Additionally, consider implementing perfect forward secrecy to prevent future private key compromises from affecting a whole application. Organizations also have a duty to proactively notify their user base (Heroku does this exceptionally well), inform them of the potential risk, remediation actions and what end users can to do personally protect their information.
And of course, the obligatory xkcd.