the winxnet blog Blog Header Image

Security Bulletin: "Heartbleed" bug - what you need to know

Posted on 4/9/2014 5:11:46 PM by Jason Lenardson
Category: Security & Compliance



Security Bulletin: "Heartbleed" bug - what you need to know

As the new SSL vulnerability ("Heartbleed" bug) gains nationwide news coverage, you are probably concerned about the impact it could have on your organization.

SSL is a protocol that provides secure transactions on the web. The ”Heartbleed" bug vulnerability that impacts SSL looks to be severe. However, it appears to affect only a specific development branch (v1.0.1) of a popular open source product, OpenSSL. This software is in wide use, especially in Linux-based systems.

If your organization has externally-accessible systems, you may be affected if your systems use OpenSSL libraries. Some, such as regular Linux servers, are easy to check as they will show the exact version information of the OpenSSL package. The difficulty comes with proprietary systems that use OpenSSL, of which there are many. Numerous security appliances, proxies, firewalls, VPN gateways, etc. have Linux-based cores and frequently use OpenSSL for encryption. You may want to call the manufacturer to check if the system uses OpenSSL.

For more detailed technical information on this bug, see its Common Vulnerabilities and Exposures (CVE) at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

It is especially important to verify that all of your externally-accessible services are free from this bug. If you have any questions or need help with this or other IT initiatives, please schedule a call with an expert.

The Winxnet Security Team provides information security services to customers throughout New England and the Southeast. Our team is led by Eugene Slobozian, Phd, CISSP with over 15 years of experience providing Information Security services to businesses in Maine and throughout New England. Winxnet provides managed security services, penetration testing, vulnerability management, social engineering tests, IT Risk Assessments and Virtual Security Officer consulting.