Skip to content

More Options

OpenSSL Heartbleed: Are You Vulnerable?

Get the facts and expert advice on what to do

 

With the widespread use of OpenSSL across enterprise applications and servers, the newly announced OpenSSL Heartbleed vulnerability has introduced a level of risk and vulnerability that organizations need to take seriously.

You may be asking, "Am I vulnerable?" and "What should I do?"

As a market leader in security, Trend Micro can help you understand and address this vulnerability. Watch our video to learn what you need to know about Heartbleed.

While individuals can find some answers here, straight talk on the issues and what business customers can do follows.


What is the Heartbleed bug and are you vulnerable?

The Heartbleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library. OpenSSL is an implementation of the SSL/TLS encryption protocol used to protect the privacy of Internet communications. OpenSSL is used by many web sites and other applications like email, instant messaging, and VPNs.

The Heartbleed vulnerability allows an attacker to read the memory of systems using certain versions of OpenSSL, potentially allowing them to access user names, passwords, or even the secret cryptographic keys of the server used for SSL. Obtaining these keys would allow malicious users to observe all communications on that system, allowing further exploit.

Who is affected by Heartbleed?

According to Netcraft data: although 66% of sites use OpenSSL, only 17% are susceptible to the Heartbleed Bug, as of April 8th, 2014.

Given that this vulnerability has existed for at least two years, an organization that has deployed servers running OpenSSL (versions 1.0.1 through 1.0.1f) during this timeframe is likely vulnerable to the Heartbleed Bug and should take immediate steps to remediate.

Although there have been no successful Heartbleed attacks documented to date, but that does not mean they have not happened. Accordingly, even if your organization is not currently vulnerable, it may have been so in the past and it should be assumed that remediation is required if you have deployed the vulnerable OpenSSL versions.

While the use of OpenSSL is widespread, the impact of Heartbleed is mitigated depending on the configuration of the systems using it.

You are not vulnerable if you are:

  • not using OpenSSL (there are alternatives and many organizations use Hardware Security Modules instead of software implementation of SSL)
  • using OpenSSL compiled without the heartbeat function enabled (this excludes the heartbeat function being exploited in this attack)
  • using OpenSSL 1.0.0 or earlier (this bug was introduced following this release)

How to check for the Heartbleed vulnerability

If you use OpenSSL and are unsure if you are affected, a Trend Micro test tool is available to quickly confirm if you have the vulnerability. Customers of Trend Micro Deep Security for Web Apps can run a full vulnerability scan on their web applications to check for the Heartbleed bug.

Are Trend Micro products affected?

Trend Micro is thoroughly investigating to see if any of our products and services may be affected by the OpenSSL Heartbleed vulnerability. Check here for updates of our investigations.

How can I protect against vulnerabilities?

Read the Whitepaper from TrendLabs to learn what steps you can take to protect your servers and data.


What should affected organizations do?

If your server currently makes use of OpenSSL 1.0.1 through 1.0.1f, then you likely are vulnerable. Take these steps now:

  • Organizations should upgrade their systems to OpenSSL 1.0.1g or higher. If upgrade is not possible, the current library can be recompiled with the - DOPENSSL_NO_HEARTBEATS flag.
  • Trend Micro™ Deep Security customers have the ability to virtually patch any affected servers and can immediately activate intrusion prevention rules for CVE-2014-0160 (requires latest update DSRU 14-009) to protect servers from this vulnerability. This affords time for the upgrade of the OpenSSL library to 1.0.1g or later and necessary regression testing.
  • Trend Micro™ Deep Discovery customers can enable new Heartbleed detection rules to help ensure a targeted attack is not leveraging this newly publicized vulnerability.

Even if a server is not currently vulnerable, if at any time OpenSSL 1.0.1 through 1.0.1f have been deployed, this bug could have been exploited and there is a small chance that the private cryptographic key used for the SSL/TLS protocol may have been compromised. This is significant as it has the potential to allow an attacker to eavesdrop on all server communications-even if the OpenSSL library has been subsequently upgraded. Accordingly, organizations should reissue their SSL certificates with newly generated keys:

  • If you are a Trend Micro Deep Security for Web Apps customer, you can re-issue your SSL certificates with new keys from their self-service portal in a matter of minutes at no cost.
  • Other organizations should consult their Certification Authority instructions for rekeying/reissuing their certificates.

If a system is or has been vulnerable, organizations should assess the type of information that may have been compromised. In some cases, if sensitive information such as account passwords and credit card numbers has been compromised, organizations may choose to advise their customers of this risk and recommend they update their credentials.


How can you be ready for issues like the Heartbleed Bug?

Countless organizations are spending unplanned days testing and patching their systems in response to this widespread vulnerability. And you can be sure that more unknown vulnerabilities are out there. Trend Micro provides a comprehensive range of security capabilities for endpoints and data centers that can help to both detect issues and protect them from being exploited.

Continuous Vulnerability Scanning. The first step in remediating a bug like Heartbleed is to detect it. Organizations should be continuously testing their deployed web applications for the latest vulnerabilities. Trend Micro Deep Security for Web Apps provides automated application and platform scanning, augmented by logic testing by security experts, providing you actionable insights into vulnerabilities.

Immediate SSL certificate reissue. In response to Heartbleed, affected organizations need to rekey and reissue their SSL certificates—–a time consuming process. Deep Security for Web Apps allows customers to readily rekey their SSL certificates, and reissue them in a matter of minutes, to minimize the time critical systems are exposed to vulnerability. Further, innovative licensing allows customers to issue unlimited publicly rooted SSL certificates for their servers and also upgrade to higher security Extended Validation (EV) certificates at no additional cost.

Instant virtual patching. Upgrading libraries like OpenSSL needs to be done with care to ensure other functionality is not impacted–usually through regression testing. This takes time and prolongs exposure to vulnerability. Trend Micro Deep Security provides advanced intrusion detection and prevention and enables customers to virtually patch systems. This allows immediate blocking and protection from attacks seeking to exploit vulnerabilities without requiring an update to the server configuration, lowering risk and reducing immediate operational impacts.

Detection of targeted attacks: Trend Micro Deep Discovery enables organizations to detect when targeted attacks are happening inside the network. With new rules in place for the Heartbleed bug and a detection rate that leads the industry (See: Trend Micro Deep Discovery Earns Top Breach Detection Score in NSS Labs Testing), Deep Discovery enables customers to protect themselves from targeted attacks both today and in the future.


What You Need to Know About Heartbleed

Video: Mark Nunnikhoven, Trend Micro's principal engineer for cloud and emerging technologies, explains the challenges that organizations face with OpenSSL Heartbleed, what you can do now, and how Trend Micro can help. Watch now.

 
 
 
 
 
 

Follow the Threat Defense Experts for the Latest Updates

Trend Micro threat defense experts are tracking the Heartbleed bug and sharing their findings with you in the following blogs. You can follow the Security Intelligence Blog for the latest developments.

Skipping a Heartbeat: The Analysis of the Heartbleed OpenSSL Vulnerability
A technical review of the vulnerability with recommendations on how to address it.

Heartbleed Vulnerability Affects 5% of Select Top Level Domains from Top 1M
A breakdown of vulnerable sites per country.

Heartbleed Bug—Mobile Apps are Affected Too
Recommendation: lay off the in-app purchases or any financial transactions for a while (including banking activities), until your favorite app’s developer releases a patch that does away with the vulnerability.

Don’t Have Heartburn Over the Heartbleed Vulnerability
Advice for your Mom. Don’t panic. Let your websites fix this.

Heartbleed—One Week In
Now we have hard evidence that hackers can exploit this vulnerability.


Free Heartbleed Scanners

To help you protect against the Heartbleed bug that is eroding SSL security features on websites worldwide, Trend Micro has released two free Heartbleed scanners for computers. The scanners are designed to verify whether you are communicating with servers that have been compromised by the Heartbleed bug.
 

Heartbleed Detector (Chrome Browser plug-in)

Available for Mac and Windows-based computer users, the Trend Micro Heartbleed Detector is a multi-platform plug-in for Chrome that enables you to check for vulnerable URLs.

Easily check if any website suffers from the Heartbleed vulnerability to avoid putting your security at risk.

Install Now with a single click!


Connect with us on