Security Rapid Response Bulletin: Remediation for Heartbleed Vulnerability Requires Keys and Certificates to be Replaced
Salt Lake City, UT
April 9, 2014
Venafi Offers the Only Solution to Find and Fix Vulnerable Cryptographic Keys and Digital Certificates Across the Enterprise
Venafi, the inventor of Next-Generation Trust Protection systems, today warns that the most devastating vulnerability of 2014 and beyond comes from failing to replace all keys and certificates on systems impacted by the OpenSSL Heartbleed bug. Without replacing keys and certificates, Heartbleed leaves open doors into Global 2000 organizations and governments with perpetual security vulnerabilities since attackers can spoof legitimate websites, decrypt private communications, and steal the most sensitive data.
The Heartbleed OpenSSL vulnerability impacts at least 50% of the public facing webservers on the Internet, enabling attackers for the last 3 years to extract private keys, digital certificates and other sensitive data. Keys and certificates establish the trust businesses and government rely on for secure banking, ecommerce, and private communications. Attacks that take advantage of the recently publicized vulnerability are an order of magnitude larger than the Target Corporation data breach reported earlier this year. This is because this vulnerability affects virtually every organization that uses the internet and is one that can be exploited by simply visiting a website and taking advantage of the vulnerability. No special skills or tools are required.
To close the door on these vulnerabilities, organization should follow these recommendations:
Identify all public facing servers using OpenSSL 1.0.1 – 1.0.1f and upgrade to OpenSSL 1.0.1g
Identify keys and certificates to fix based on knowledge of vulnerable applications
Generate new keys and X.509 certificates
Install new keys and certificates on servers, revoke vulnerable certificates
As simple as these steps sound, many organizations are challenged to carry them out.
"While the Heartbleed code has been fixed, it is alarming that many organizations remain vulnerable. Most Global 2000 organizations and governments don't have a clear path to quickly change out the thousands of affected and exposed keys and certificates in order to ensure security," says Jeff Hudson, CEO of Venafi. "But if they don't change out every one of those keys and certificates quickly, the continued exposure to Heartbleed means attackers can keep spoofing legitimate websites, decrypting private communications, and stealing the most sensitive data.”
Venafi can help affected organizations identify and change all the SSL keys and certificates that are vulnerable. Venafi ‘s business is to help organizations move from a vulnerable situation to a safe, secure, and trusted state. Organizations can request help at http://www.venafi.com/contact.
Venafi’s incident response to Heartbleed includes Venafi TrustAuthority™ which identifies and replaces vulnerable keys and certificates. TrustAuthority builds an intelligent inventory of keys and certificates, understands how they're used, identifies vulnerabilities, and replaces them. Further, TrustAuthority continuously monitors the certificates and detects and remediates anomalies as they are identified on an ongoing basis. In other words, get from vulnerable to secure and stay that way.
Many organizations that are Venafi customers today, have rapidly responded to Heartbleed and are back to a known secure state using Venafi TrustForce. TrustForce fully automates the protection of keys and certificates enabling organizations to protect hundreds of thousands of keys and certificates and respond by automatically changing keys and certificates in minutes.