- Heartbleed is a critical vulnerability in OpenSSL, and can lead to total compromise of any server running any OpenSSL-enabled application.
- The impact extends far beyond websites using SSL encryption, affecting internal networks of enterprises for years to come.
- Palo Alto Networks is protecting customers from the full spectrum of the threat today.
We know how important SSL is to the modern Internet, and how the Heartbleed vulnerability (CVE-2014-0160: OpenSSL Private Key Disclosure Vulnerability) compromised the integrity of communications across the entire Web. What hasn’t been looked at until now is just how much deeper this rabbit hole goes. Sorry Alice, it's not pretty.
How Heartbleed works:
We already know the issue (an attacker can steal random 64KB chunks of memory via SSL heartbeats). But there's a key detail often overlooked: any vulnerable SSL service on the machine compromises the entire machine. For example, the SSL VPN server an IT admin uses to remotely connect to a machine? A common VOIP service being secured by SSL? The IRC server hosted behind an SSL login? Each and every single internal and external application using a vulnerable version of SSL needs to be fully patched, or the entire server is still fully compromised. You must consider the scope of all the SSL-enabled applications, whether commercially available or built in-house that an average organization uses to understand Heartbleed’s impact.
Up until now, the story of Heartbleed’s impact has been focused on the compromise of HTTPS-enabled websites and web applications, such as Yahoo!, Google, Dropbox, Facebook, online banking, and the thousands of other vulnerable targets on the web. These are of huge impact, but those sites will all be updated within the next few weeks, and the media frenzy will quiet out, and the world will move on, believing Heartbleed is behind us.
For security professionals, this is only the tip of the iceberg. The vulnerability puts the tools once reserved for truly advanced threats into the hands of the average attacker – notably, the ability to breach organizations, and move laterally within them. Most enterprises of even moderate size do not have a good handle on what services they are running internally using SSL encryption. Without this baseline knowledge, it is extremely difficult for security teams to harden their internal attack surface against the credential and data stealing tools Heartbleed enables. All footholds for the attacker with an enterprise network are suddenly of equal value.
For example, we are already seeing Proof-of-Concepts taking advantage of Heartbleed in the wild. How long will it be before someone creates an automated internal scanner, finding vulnerable services on the local network, and exploiting them with a single click? The security industry must deal with the serious consequences of this vulnerability for years to come.
Measures You Can Take:
There is hope though, and Palo Alto Networks is in a unique position to protect against Heartbleed. Beginning on April 9, 2014, we released multiple protections, which automatically protect our customers from exploitation of this vulnerability:
- Emergency content 429 (IPS vulnerability signature ID 36416)
- Emergency content 430 (IPS vulnerability signature ID 40039, 36417, 36418)
Additionally, PAN-OS, the operating system at the core of our next-generation security platform, is not impacted, as PAN-OS does not employ a vulnerable version of OpenSSL. We will continue to monitor the situation and develop new protections as needed, ensuring customers are safe from Heartbleed.
Palo Alto Networks takes a fundamentally different approach to identify and work to prevent threats like Heartbleed from infiltrating your enterprise. Other security vendors are required to create an enormous amount of pattern-based signatures, in a constant battle to identify the telltale signs of exploitation, and release a new signature each time this happens. In contrast, our security platform natively decodes all traffic at the application layer, regardless of the port and protocol used, including SSL/TLS tunnels. Instead of struggling to match a multitude of signatures against known patterns, we are able to statefully decompose the protocol (SSL in this case) to detect anomalies in ways that cannot be done with typical network security devices limited by regular expression technology.
All services behind a Palo Alto Networks security platform are automatically protected from Heartbleed. Whether this is at the perimeter, the data center, or key points of internal segmentation, sensitive data will not be leaked via Heartbleed.
Have questions? Please reach out to your existing rep or partner, or contact us online or call 866.320.4788.