Heartbleed Vulnerability

  • Updated

Ektron is taking the Heartbleed vulnerability very seriously and want to keep you all informed of how this impacts you. Below is a description of what the vulnerability is, what it can effect, and how to mitigate intrusions due to this vulnerability. Ektron sites use IIS and so are unaffected by heartbleed.

Heartbleed is a vulnerability in OpenSSL affecting versions 1.0.1 and 1.0.2-beta, and is resolved in 1.0.1g and 1.0.2-beta. OpenSSL is a library commonly implemented on apache and nginx. It is also heavily used in embedded systems that support ssl. The specific vulnerability is a buffer overflow on the heartbeat function, which allows an attacker to read 64kb of memory at a time. In unlucky examples, this can contain user credentials, or even the private ssl key which would allow the attacker to then decrypt all traffic, including past traffic if they have records. Since the attack leaves no trace, it can be performed repeatedly until critical information is leaked.

What you should know is summarized below.

  • Ektron is not vulnerable.
  • IIS is not vulnerable.
  • Talk to your vendors for other equipment they use (load balancers, ssl offloading, proxies, etc)
  • Most firewalls can be configured to disallow heartbeat requests (this has side effects, an update is preferred)
  • Keep on top of security patches from various vendors, including Microsoft and Ektron, as we are regularly providing security updates
  • If you are on older versions of Ektron, you should strongly consider upgrading, as there are inherent improvements to the security of the product.

There is a site which will test to see if a particular URL or IP is affected for web traffic: http://filippo.io/Heartbleed/

IIS utilizes an implementation of SSL by Microsoft called SChannel, which does not have the vulnerability. However, just because a customer is using Ektron, does not mean that they are implicitly unaffected as other systems can be used to integrate with the product. Additionally, you may have vulnerabilities in other areas not specific to your web site; there may be issues with your mail server for example, if that is configured to use SSL sockets.

Below are some references for further information on this vulnerability
http://heartbleed.com/

http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html

http://xkcd.com/1354/