HeartBleed vulnerability warning for website owners: fix list

New Zealand Internet Task Force is today warning website owners that their site’s security may have been breached and private information may have been stolen after the HeartBleed vulnerability was identified in the last 24 hours. 

Individual web users do not have to do anything however website owners are advised to check their sites and patch them where required. 

The vulnerability in OpenSSL software, commonly used to secure web sites, is easy to exploit and virtually impossible to detect when it has been exploited. Any web site using a vulnerable version of OpenSSL may have been attacked by criminals stealing data or eavesdropping on communications to and from the site. Now that this vulnerability is widely known the likelihood of criminals using this exploit are significantly higher." 

To fix the vulnerability, website hosts are advised to follow the below list in the order provided:

  1. Establish if your site’s servers are vulnerable.
  2. Patch the vulnerable servers.
  3. Revoke/reissue certificates.

1. Establishing if your site is vulnerable

There are a number of online tools available which website owners can use to establish if their site is vulnerable to this exploit: https://www.ssllabs.com/ssltest/

2. Patching vulnerable servers.

Once all vulnerable servers have been identified, website owners should take all vendor specified steps to ensure that the vulnerability is patched. Below are some resources for different operating systems that describe patching procedures:

Ubuntu USN-2165-1: OpenSSL vulnerabilities
Ubuntu CVE-2014-0160 detailed information per release
Debian DSA-2896-1 openssl – security update
Red Hat RHSA-2014:0376-1 Red Hat Enterprise Linux 6
Red Hat RHSA-2014:0377-1 Red Hat Storage Native Client for Red Hat Enterprise Linux
CentOS 6 CVE-2014-0160 CentOS 6 openssl heartbleed workaround
Gentoo glsa-201404-07 OpenSSL: Information Disclosure
Novell/Suse SUSE Linux Enterprise Server 11 and older versions with openssl 0.9.8 are not affected. Only openSUSE 12.3 and 13.1 are shipping affected versions currently.
Tor components affected by OpenSSL bug CVE-2014-016

3. Revoking/Reissuing Keys and Certificates

If your server has been compromised, you must revoke your website certificate and have it reissued using new crypto keys.

To do this, you should contact your IT security advisor to ensure these steps are taken. Patching alone will reduce your risk of future data compromise, but cannot fix any data that has already been captured.

This could include the cryptographic keys used to protect the data, as well as userIDs and passwords. You should carry out a risk assessment to determine what the implications are and what to address. Individuals should have separate passwords for different web services, and we recommend changing those passwords frequently.