VMware has released two knowledge base articles where they state which versions of their software is affected. ESXi 5. Microsoft Azure has confirmed that their services are not affected but if you are running Linux images on their cloud you might be affected after all.
Even if you are running Linux images on Hyper-V in your own datacenter and expose those to the internet you could be affected. While in this case Microsoft is not harmed by this specific bug, running a data protection solution on software that is regularly updated and patched against security risks is a best practices and is much less likely to become compromised compared to closed solutions such as appliances. Veeam therefore always recommends to apply Microsoft best practices around Microsoft patching in your data center.
The only people who can tell you that are those with whom you do business and you should ask them, within reason. I'll explain that in a moment. It is a protocol for moving information across the Web in an encrypted fashion. It forms the basis for all secure transactions on the Internet. Heartbleed is the name of a bug found in the OpenSSL software. See The Heartbeat Bug for an excellent explanation.
The OpenSSL software itself has a bug, which allowed it to be exploited by the bad guys. SSL itself is fine. Systems that do not use OpenSSL were not affected in any way. If you're like me, you've got dozens of sets of login credentials to Web sites far and wide.
But here's the thing - the vast majority of those sites don't store vital information about you. For example, I participate in a number of discussion groups. None of these know anything about me that I don't already make generally public.
For the most part, they don't have a credit card number. Check with your financial institutions first, then with any business that has your social security number, then with any health care or insurance provider. Then you can do the rest. Take notes. This is important. Do not change your password until you have confirmed that the particular site is no longer vulnerable. Like an unwelcome visit from an in-law, Heartbleed is going to be a topic on our minds for quite some time to come.
In the end it may be proclaimed the single biggest system vulnerability of all time. Even though some of these points have been covered here already, Morgan fielded some of my questions on the topic with additional insights. Scott Matteson: What is unique about Heartbleed, and how did this get so big, so fast? Justin Morgan: "What makes Heartbleed unique is that it is a very small bug that has gigantic ramifications. What makes it big is unlike previous attacks, which reduced the security of encrypted data in transit, Heartbleed exposes memory on the compromised host itself both servers and clients.
This means that an attacker could potentially read the contents of other web sessions in memory, or even the keys to the kingdom--the SSL certificate's private key.
JM: "Primarily Unix-like systems, including Linux. However, it's important to realize that these systems may have third party software installed that has packaged the OpenSSL library. Which version is safe? It's an interesting phenomenon to keep in mind: a critical vulnerability was introduced with new feature code the TLS heartbeat extension, or RFC Adopting the bleeding edge version of critical security libraries will always have this risk. SM: Can you elaborate on the changing of SSL certificates; should any and all public-facing certificates be regenerated or are there certain stipulations involved?
JM: "Any certificate that was ever hosted on an internet-facing vulnerable version of OpenSSL should be revoked and replaced. The cost of exhaustively evaluating whether a certificate was in jeopardy is almost certainly going to be higher than the cost of simply replacing the certificate.
This is also a good opportunity to make sure that your certificate key length and signature algorithms are 'up to code. JM: "Not necessarily. The exploit can only access data that is resident in memory, which is going to be a subset of all the information stored and transmitted by the vulnerable system. However, any application or site a user may have entered their credentials on in the last two years should be updated and that's probably most of them.
As a side note, key-based authentication to vulnerable systems is not particularly compromised i. SM: How likely is it that this vulnerability has been exploited on a large scale prior to discovery of the bug on April 7?
JM: "It's hard to say. It certainly wouldn't be the first time a vulnerability had been discovered and exploited prior to a fix being developed. However, a successful exploit is difficult to detect even with active monitoring, and nearly impossible retroactively. Given that the bug is over two years old, my gut tells me that large scale use of an exploit would have been detected, but there's no way to know for sure.
SM: How would you recommend system admins best evaluate their environment to determine which devices are vulnerable to Heartbleed; security scans, manual check or something different? JM: "If an organization has a mature configuration management database, the fastest way to take a first pass would be to pull a list of all the installed versions and compare it against the list of vulnerable versions.
It's also important to keep in mind some distribution ecosystems maintain separate versioning through backports, so administrators should consult their distribution-specific documentation. Online scanners can potentially identify vulnerable servers, and there are a few that have recently popped up. Finally, library version checking and online scanning may not capture third party software that has packaged up vulnerable OpenSSL libraries.
Even Windows administrators could be running third party software that is vulnerable, so it's important to inventory your software and review the security bulletins issued by vendors. They could also leak personal information to hackers when people carry out searches or log into email.
Attacks using the vulnerability are already in the wild: one lets a hacker look at the cookies of the last person to visit an affected server, revealing personal information.
Connections to Google are not vulnerable, researchers say. SSL is the most common technology used to secure websites. Web servers that use it securely send an encryption key to the visitor; that is then used to protect all other information coming to and from the server.
It is crucial in protecting services like online shopping or banking from eavesdropping, as it renders users immune to so-called man in the middle attacks, where a third party intercepts both streams of traffic and uses them to discover confidential information.
The Heartbleed bug — so called because it exploits a failure in an extension called heartbeat — not only lets attackers read the confidential encrypted data; it also allows them to take the encryption keys used to secure the data. That means that even servers which fix the bug, using a patch supplied by OpenSSL, must also update all their keys or risk remaining vulnerable.
0コメント