Understand the Heartbleed Vulnerability and Remediate

Analyst Coverage

“Cybercriminals are known to steal SSH keys or manipulate which keys are trusted to gain access to source code and other valuable intellectual property” Read More

“Advanced threat detection provides an important layer of protection but is not a substitute for securing keys and certificates that can provide an attacker trusted status that evades detection.” Read More

"Basically, the enterprise is a sitting duck."

"PKi is under attack...Advanced and persistent adversaries go for keys" Read More

"When there are many hundreds of certificates from a variety of certificate authorities, the only ecumenical [universal], nonproprietary provider of a certificate management solution is Venafi. Other CA management systems are biased toward the particular CA by, for example, only supporting renewals from that specific CA." Read More

"No CISO could consider having tens of thousands of unknown network ports open and have no way to control them. But that’s the alarming reality today with regards the trust established by keys and certificates..." Read More

"Organizations with roughly 200 or more documented X.509 certificates in use are high-risk candidates for unplanned expiry and having certificates that have been purchased but not deployed." Read More

"Technology critical to cloud computing is in clear and present danger...attacks on Secure Shell (SSH) keys present the most alarming threat arising from failure to control trust." Read More

“Certificates can no longer be blindly trusted” Read More

“Just because something is digitally signed doesn't mean it can be trusted.”

“Enterprise awareness of attacks on keys and certificates is in its infancy; most don’t understand how to detect or respond to an attack.” Read More

Remediating the Heartbleed Vulnerability

What is the recommended remediation?

Immediate Action:

  1. Identify any publicly facing server using OpenSSL 1.0.1 – 1.0.1f
  2. Upgrade to OpenSSL 1.0.1g or recompile the OpenSSL library with OPENSSL_NO_HEARTBEATS flag
  3. Revoke all X.509 certificates in use on impacted servers
  4. Create new keys for new certificates
  5. Install and verify that the new keys and certificates are being used on impacted servers

Follow-up Action:

  1. Identify any internal server or application using OpenSSL 1.0.1 – 1.0.1f
  2. Upgrade to OpenSSL 1.0.1g or recompile the OpenSSL library with OPENSSL_NO_HEARTBEATS flag
  3. Revoke all X.509 certificates in use
  4. Create new keys for new certificates
  5. Install and verify that the new keys and certificates are being used

How can Venafi help?

Venafi Trust Protection Platform provides holistic remediation from the Heartbleed vulnerability. By using TrustAuthority with the Vulnerability Remediation Plugin, organizations are able to quickly identify any system susceptible to the Heartbleed vulnerability, regardless if it is a publicly facing server or on the internal network.

Once the OpenSSL vulnerability is patched, it is paramount to replace all X.509 certificates on impacted systems. Failure to do so will result in already compromised keys being used nefariously. Some examples include spoofing of your website for phishing campaigns, man-in-the-middle (MITM) attacks, and replay attacks.

The following remediation plan outlines how Venafi can help identify Heartbleed vulnerable systems and remediate against any future compromise from stolen keys and certificates.

Steps Action TrustAuthority TrustForce
1

Identify any publicly facing server using OpenSSL 1.0.1 – 1.0.1f and upgrade to OpenSSL 1.0.1g

check(1) check
2

Identify keys and certificates that need to be fixed based on knowledge of vulnerable applications

check check
3

Generate new keys and X.509 certificates

check check
4

Automatically distribute and install new keys and certificates on servers

  check
5

Revoke vulnerable certificates

check check
6

Identify any internal server or application using OpenSSL 1.0.1 – 1.0.1f and upgrade to OpenSSL 1.0.1g

check(1) check
7

Repeat steps 2 - 5

check(2) check
8

Validate all keys and certificates have been replaced

check check
9

Validate all keys and certificates are replaced, detect anomalies & alert org (every 24 hours)

check check

1: Heartbleed remediation acceleration available via the vulnerability remediation plug-in

2: TrustAuthority does not perform automatic distribution and installation of keys and certificates

 

Venafi TrustAuthority can quickly identify systems impacted by the Heartbleed vulnerability, establish how many keys and certificates are in use, where they are used, and who is responsible for them. Once TrustAuthority defines a comprehensive inventory of all X.509 certificates, they need to be replaced.

  • TrustAuthority policies identify the applications with which keys and certificates are used, including Apache systems.
  • Validate all keys and certificates have been replaced

    Using TrustAuthority, security administrators working with application owners and the knowledge of vulnerable applications, can quickly, securely, and easily generate new keys and certificates from one or more of the trusted Certificate Authorities (CAs) used by the organization.
  • Security teams can easily define policies for newly created keys and certificates to ensure they comply with minimum security standards.

Venafi TrustForce uses lightweight agent and agentless technologies to automate complex activities, including rekeying and recertification, for which manual processes might open vulnerabilities. With TrustForce, the remediation of keys and certificates is completely automated and secure.

  • TrustForce automatically generates and installs keys and certificates without waiting for assistance from application and operations teams.
  • TrustForce securely distributes new keys and certificates, installs them, and validates the application is back up and running with the new trusted keys and certificates.

The Venafi Vulnerability Remediation Plugin further enhances TrustAuthority and TrustForce to accelerate the remediation process. Unlike other Heartbleed vulnerability detection tools, TrustAuthority and TrustForce provides complete remediation by identifying both internal and external security incidents like Heartbleed, poor signing algorithms, and low/weak key strength. Once vulnerable systems have been identified and patched, customers can remediate with bulk new key and certificate generation.

As part of the Heartbleed remediation, TrustAuthority and TrustForce will not allow key rotation before OpenSSL systems are properly patched, ensuring correct, end-to-end remediation. Once the plugin is added to TrustAuthority and TrustForce and a vulnerability like Heartbleed is detected, bulk revocation can be performed by:

  1. CA
  2. Object Name
  3. Application Type
  4. Network scan – port range

Contact Venafi to accelerate Heartbleed remediation.

 

What are the recommended cryptographic standards for new keys and certificates?

When creating new keys and certificates, the following minimum cryptographic standards are recommended.

Key Length:

Weak key lengths are vulnerable to brute force attacks based on advances in computing power. As of December 31, 2013, The National Institute of Standards and Technology (NIST) disallowed the use of 1024-bit keys because they are no longer considered secure.

Minimum recommendation: 2048-bit

Hashing Algorithms:

The use of weak hashing algorithms further exposes your organization to compromise and breaches. Any key or certificate using MD5 should be immediately replaced as MD5 has been vulnerable since 2004. NIST does not recognize MD5 as a secure hashing algorithm. NIST also recommends any key or certificate using SHA-1 hashing be replaced. SHA-1 has been deprecated by NIST as of December 31, 2013.

Minimum recommendation: SHA-256

Cypher:

The use of vulnerable cyphers with proven exploits, such as brute force and chosen-plaintext attacks, should not be used. The Data Encrypted Standard (DES) is one example of a cypher that is vulnerable to both of these exploits. RC4 is vulnerable to exploits like BEAST and is also not recommended.

Minimum recommendation: 3TDEA or Advanced Encryption Standard (AES)

 

> Threats and Consequences