"Heartbleed" — a Critical Vulnerability in OpenSSL
The Internet is abuzz with news of the "Heartbleed" bug that affected the security of the majority of web servers in the world, as well as other computer systems that rely on OpenSSL code. This bug is serious, but its immediate impact at Stanford is not cause for alarm. Here's what we know about how Heartbleed affects Stanford's systems and users today.
Stanford's central authentication systems were not affected
We have confirmed that Stanford's central authentication systems were not vulnerable to Heartbleed. In particular, the WebLogin system never ran a version of the OpenSSL library that was vulnerable to Heartbleed, so no account credentials were in danger there. Stanford's central email system, Zimbra, does not accept credentials through the services that depend on OpenSSL so no account credentials were in danger there either.
Administrators of affected servers have been notified
The Information Security Office started scanning the campus for vulnerable machines as soon as the tools became available, and the administrators of servers found to be susceptible to the Heartbleed bug were notified directly on April 8. Most systems were patched or taken offline immediately.
Most end-user devices are not vulnerable
The two major desktop operating systems on campus, Windows and OS X, do not incorporate the vulnerable OpenSSL libraries. Mobile devices running iOS are also unaffected, as are most Android devices.
But some end-user devices are...
Desktops running Linux typically do incorporate OpenSSL and should be patched as soon as possible. Android devices that have version 4.1.1 of Jelly Bean are also vulnerable, and should be patched as soon as the carrier allows it.
Note that the risk to end-user devices is different from the risk to servers. A vulnerable server might expose sensitive information to anyone on the internet who connects to it, whereas a vulnerable endpoint (which does not accept incoming connections) would only potentially expose information to a hostile machine to which it actively initiates a connection. This is theoretically possible to arrange but a lot harder to pull off undetected, and we have no information to indicate that it has been attempted in the wild.
There's a lot we don't know
Once systems are up to date the next top priority is damage control, but it's hard to know what the damage really is. Heartbleed exposes unpredictable chunks of memory from a vulnerable machine, but there's no way to go back and find out for sure what (if anything) was exposed. The bug has been around for over two years, and was just announced publicly last week. The attack leaves no trace, so there's just no way to know how many or how few people knew about it or whether it was widely exploited.
What do we do now?
For web server administrators, the prudent thing to do is to create a new private key, use it to obtain a new site certificate, and revoke the old certificate. If the system does its own authentication (i.e., it doesn't use WebAuth), then users of that system should be alerted to change their passwords after the system and its cert have been updated.
For end users, the cautious choice would be to change passwords on any systems they believe were affected, but only after they know the system's software and private keys have been updated. This is not an easy thing for most people to verify.
Fortunately, most Stanford users do not have to do anything further to protect their SUNet credentials. The central systems were unaffected, and SUNet accounts are further protected by Two Step Authentication in most cases.
What about systems outside of Stanford?
If you log into outside services such as Box or Google Docs using Stanford's WebLogin, then your password is not exposed outside Stanford. For services that do not use Stanford's WebLogin, your best bet is to avoid them until the vendor has announced that their systems are safe from Heartbleed, at which point you should change your password. It should go without saying, but please do not use your SUNet password for anything other than your SUNet account. If a service offers Two Step Authentication, you should take advantage of it.
What about the future?
We're sure to hear more about the possible worldwide impact of Heartbleed for a little while, but due to the silent nature of the vulnerability we're unlikely to ever know how much damage (if any) was really caused. Unless new information comes to light, the best we can do is take precautions going forward.
More information about Heartbleed
You can spend all day reading about Heartbleed with a simple web search, so here are just a few links to get you started.
- The original announcement of the Heartbleed bug
- Heartbleed Explanation
- Webcomic XKCD's non-technical description of how Heartbleed works
- The Heartbleed Hit List
- Mashable's round-up of status announcements from many major internet services