On April 7, 2014, a team of security researchers announced the discovery of a critical vulnerability dubbed “The Heartbleed Bug
”, found in OpenSSL, a widely-used open source cryptographic software library. Symantec is currently investigating the OpenSSL vulnerability – which allows attackers to read the memory of the systems using vulnerable versions of OpenSSL software.
This may disclose the secret keys, which allows attackers to decrypt and eavesdrop on SSL encrypted communications and impersonate service providers. In addition, other data in memory may be disclosed including names and passwords of the users or other data stored in memory by the service. Symantec recommends:
- Anyone using OpenSSL 1.0.1 through 1.0.1f update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension.
- Businesses should also replace the certificate on their web server after moving to a fixed version of OpenSSL.
- Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in a compromised server memory.
- Should be aware their data could have been seen by a third party if they used a vulnerable service provider
- Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated to customers that they should change their passwords, users should do so
- Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain
1. I don’t have any of the vulnerable OpenSSL versions do I need to take any action?
No, there is no further action required.
2. Who is affected?
Users of OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable.
Any customer using OpenSSL 1.0.1 through 1.0.1f (inclusive) in their web server are vulnerable unless they disabled support for the heartbeat extension when OpenSSL was compiled.
3. Are Code Signing or Managed PKI for SSL Administrator ID certificates impacted by this vulnerability?
4. Is this a design flaw in SSL/TLS?
This is not a vulnerability with SSL/TLS or Symantec.
SSL/TLS is not broken, nor are the digital certificates issued by Symantec and it’s brands.
5. Am I impacted by the vulnerability in OpenSSL?
Test for the vulnerability at:
6. What is the remediation plan?
- Upgrade to OpenSSL 1.0.1g
- If this is not possible customers can recompile OpenSSL with the handshake removed from the code by compile time option
- Please consult your server administrators with regards to updating or recompiling OpenSSL.
- OpenSSL 1.0.1g is now available here, including bug and security fixes
- Update your web server (Apache, nginx) using OpenSSL 1.0.1g.
- As a safety measure it is highly advisable to replace the web server certificate after the OpenSSL upgrade.
NOTE: Do not revoke your current certificate until the new replacement certificate is installed.
- Create a new private key & Certificate Signing Request (CSR).
NOTE: Do not reuse the existing private key & Certificate Signing Request (CSR).
- To replace your certificate from a Symantec Trust Center account, view the steps in SO7146
- To replace your certificate from a Symantec Trust Center Enterprise account, view the steps in SO10700
- To replace your certificate via Partner channel, view the steps in SO17278
- To replace your certificate from Managed PKI for SSL account, view the steps in SO4266
- After installing the replacement certificate, the previous issued certificate should be removed from the server or device. Once confirmed working, you need to revoke the previous certificate.
7. Will my old certificate be revoked immediately?
Symantec has introduced a Replace only option, this option will not revoke your previous certificates. Symantec recommends to use the Replace option to obtain a free certificate replacement - Once you have installed the replacement certificate successfully then you should Revoke the previous certificate. The time before the previous certificate is revoked depends on the system. While the certificate may be revoked immediately it will take up to 24hours until it is added to the CRL list. OCSP Responder will flag the certificate as revoked immediately.
8. Will replacing the certificates cost anything?
Replacements are free for the lifetime of the certificate.
9. How long will it take to get the new certificate?
This depends if any certificate vetting is required. If the certificate is replaced without vetting we may be able to reissue the certificate instantly. For questions on reissuance please contact Customer Support.
10. Does Heartbleed affect my other Symantec security deployments?
Verify if in these deployments any OpenSSL libraries have been used and which OpenSSL the server is using. If they fall into the category of above mentioned vulnerable versions there is a security risk and you need to take appropriate action to mitigate.