ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

You are here: Home / Newsletters / ControlCase Advisory on Heartbleed Security Vulnerability
ControlCase No Tag LOGO md

ControlCase Advisory on Heartbleed Security Vulnerability

This is a security advisory on the “Heartbleed” vulnerability.

What is HeartBleed Bug

The bug, called “Heartbleed”, affects servers running a package called OpenSSL. This is considered a serious vulnerability because of wide use of OpenSSL library by major applications.

The Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on March 14, 2012.
The Bug is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

Heartbleed allows reading memory of systems protected by the vulnerable versions of the OpenSSL software. The bug allows an attacker to pull 64k at random from a given server’s working memory. Therefore, anyone could simply pull small bits of data from a server, over and over, until they gain the private keys needed to read all of the information that’s there.

Heartbleed and Open OpenSSL Versions

Vulnerable

OpenSSL 1.0.1 through 1.0.1F (inclusive)

Not Vulnerable

OpenSSL 1.0.1g

OpenSSL 1.0.0 branch

OpenSSL 0.9.8 branch

OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

How ControlCase CaaS Customers can request test for Heartbleed

ControlCase can perform Heartbleed test for your infrastructure and provide you the results. ControlCase Compliance as a Service (CaaS) customers can request “Heartbleed Test” by using following steps:

    1. Login to IT GRC portal
    2. Click “External PT Scan Form” link on the dashboard

cd2ddc5b-5898-4311-9f66-d37603a72d51

    1. Fill the External Network Penetration Test form with all the details and mention “Hearbleed test” before filling public IP addresses against #6

6a3bb41c-7d39-4094-83a8-b39f9e62ff03

    1. Once form is filled completely, click Notify button on top right corner

737c1035-cb85-4c78-a695-131d6153e12b

How to test if you are vulnerable

Enterprises can test their infrastructure by checking the OpenSSL library version in use on your server and check if that is OpenSSL 1.0.1 through 1.0.1f. This means you are running vulnerable version of OpenSSL. You can also use following experimental free tool to check if your web server is vulnerable.

https://www.ssllabs.com/ssltest/

Individual users should try to avoid connecting to vulnerable sites and services until they notify you of a fix. Changing your password will not help till the bug is fixed by the application vendor. If a site is not vulnerable but doesn’t issue a statement, change your passwords just in case they were vulnerable in the past.

About Us

ControlCase is a global provider of technology-driven compliance and security solutions. ControlCase is committed to partnering with clients to develop strategic information security and compliance programs that are simplified, cost effective and comprehensive in both on-premise and cloud environments.

ControlCase provides the best experts, customer experience and technology for regulations including PCI DSS, GDPR, SOC1, SOC2, SOC3, HIPAA/HITRUSTâ„¢, ISO 27001/2, SSAE16, PIPEDA, FERC/NERC, Sarbanes Oxley (SOX), GLBA, CoBIT, BITS FISAP and EI3PA.

https://www.controlcase.com