What is the Heartbleed bug and are you vulnerable?
The Heartbleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library. OpenSSL is an implementation of the SSL/TLS encryption protocol used to protect the privacy of Internet communications. OpenSSL is used by many web sites and other applications like email, instant messaging, and VPNs.
The Heartbleed vulnerability allows an attacker to read the memory of systems using certain versions of OpenSSL, potentially allowing them to access user names, passwords, or even the secret cryptographic keys of the server used for SSL. Obtaining these keys would allow malicious users to observe all communications on that system, allowing further exploit.
Who is affected by Heartbleed?
According to Netcraft data: although 66% of sites use OpenSSL, only 17% are susceptible to the Heartbleed Bug, as of April 8th, 2014.
Given that this vulnerability has existed for at least two years, an organization that has deployed servers running OpenSSL (versions 1.0.1 through 1.0.1f) during this timeframe is likely vulnerable to the Heartbleed Bug and should take immediate steps to remediate.
Although there have been no successful Heartbleed attacks documented to date, but that does not mean they have not happened. Accordingly, even if your organization is not currently vulnerable, it may have been so in the past and it should be assumed that remediation is required if you have deployed the vulnerable OpenSSL versions.
While the use of OpenSSL is widespread, the impact of Heartbleed is mitigated depending on the configuration of the systems using it.
You are not vulnerable if you are:
- not using OpenSSL (there are alternatives and many organizations use Hardware Security Modules instead of software implementation of SSL)
- using OpenSSL compiled without the heartbeat function enabled (this excludes the heartbeat function being exploited in this attack)
- using OpenSSL 1.0.0 or earlier (this bug was introduced following this release)
How to check for the Heartbleed vulnerability
If you use OpenSSL and are unsure if you are affected, a public test tool is available to quickly confirm if you have the vulnerability. Customers of Trend Micro Deep Security for Web Apps can run a full vulnerability scan on their web applications to check for the Heartbleed bug.
Are Trend Micro products affected?
Trend Micro is thoroughly investigating to see if any of our products and services may be affected by the OpenSSL Heartbleed vulnerability. Check here for updates of our investigations.