If there’s one thing we noticed about 2014, it was a year of many security announcements. It is becoming obvious that perimeter security is not sufficient and each constituent system in a network must be regarded as a public system, regardless of assumption. Systems will be compromised, and preparing for what to do after an attack is just as important as preventing attacks in the first place.
In any case, we thought we’d do a quick review:
1. OpenSSL Heartbleed
2014 first gave us Heartbleed, a bug in the OpenSSL cryptographic software library that caused implementations with the “heartbeat” function of OpenSSL enabled to return memory space outside of what should be returned, often resulting in the dumping of private keys themselves. This was a big deal, since OpenSSL is the most widely used implementation of the protocol and is responsible for all kinds of web interactions that should remain private.
The OpenSSL team fixed the bug, and everyone should be using version 1.0.1g or newer. If you want to see the Heartbleed attack in action, you can see our capture and blog post about it here.
2. SSL 3.0 POODLE Attack
While SSL itself is an older standard (replaced hopefully in most implementations by TLS), the POODLE attack revolved around a man-in-the-middle forcing an implementation built for backwards compatibility to negotiate down to the older standard, which allowed the attacker exploit older cipher suites.
OpenSSL.org has a great summary of the vulnerability here.
This vulnerability affected systems using the BASH Unix shell, allowing attackers to hide system commands inside of script environment variables. Needless to say, that’s bad - but worse is that you could use it against network services like dhclient (a DHCP client) and embed malicious commands in DHCP options to affect a system with a non-patched version of BASH. We have a capture with an example of this here.
If you’ve upgraded to the latest version of BASH on your system (later than 4.3), you should be fine.