What exactly is the Heartbleed vulnerability?
On April 7, 2014, the OpenSSL community announced that it found a critical vulnerability in the TLS Heartbeat protocol. The nature of such an attack is very similar to a buffer overflow attack, where a remote attacker can exploit the protocol by sending a malformed “heartbeat” request with a payload size bigger than the actual request. In response, the vulnerable server would return a heartbeat response that contains a memory block of up to 64KB in the payload. This memory block can potentially reveal confidential information, including SSL private keys, user passwords and more. The researchers that found this vulnerability have put together an informative micro site that explains all of this.
How do I know if my Radware Products are vulnerable?
Radware has tested all of its products and recently announced to its customers that its Alteon, AppDirector, DefensePro and DefenseSSL are not vulnerable to the attack. Specific versions of Radware’s Web Application Firewall, (AppWall) and Radware’s Web Performance Optimization solution (FastView) were found vulnerable to Heartbleed data-leakage and were updated immediately. Please make sure to read Radware’s Security Advisory to ensure that you are running a non-vulnerable version.
I found that one of my servers is vulnerable. What should I do?
Follow these 3 steps:
- Immediately upgrade all of your vulnerable servers to the latest version that is not vulnerable for such an attack.
- Once all systems (either Radware’s or other solutions) are upgraded and found to be non-vulnerable, make sure to re-issue all certificates that were used.
- Ensure you replace all passwords for both internal and consumer use.
Upgrading all of my servers may take me months. How do I stop this vulnerability?
Over the last week there were a large number of announcements about solutions that can or cannot be used to block data leakage as a result from this vulnerability. The short answer is – it depends:
- To date, there is no “silver bullet” that will keep your data safe with no false positives (i.e. blocking legitimate transactions). However, Radware’s solution allows you to pick a protection method while you’re still working on upgrading your servers.
- As Heartbleed is a vulnerability in the TLS Heartbeat protocol ask yourself whether or not you really need to open your network to this protocol. If not, Radware’s DefensePro can be updated with an attack signature that automatically blocks all Heartbeat transactions. Be aware that blocking this protocol may end up blocking legitimate users in your servers using this “Keep Alive” protocol.
- Most of SSL / TLS clients are using “fixed-length” heartbeat messages. DefensePro can be updated with an attack signature that automatically blocks Heartbeat transactions that are of a certain size.
What if my servers are using variable random size Heartbeat messages?
Radware’s DefenseSSL can be used to block data leakage by enabling always-on HTTP authentication for HTTPS based services. Radware HTTP authentication helps our Attack Mitigation Solution (AMS) to differentiate between a bot and a full Web browser. It is assumed that because of the random nature of the data that can be leaked, only automated tools can get enough meaningful data to make an attack really effective.
DefenseSSL uses sophisticated challenge/response mechanisms to help differentiate between legit users using Web browsers and malicious bots. Refer to Radware’s Security Advisory for deployment guidelines and additional information.
Where can I find more info?
Refer to Radware’s Knowledgebase to learn more. Radware support can also help you analyze the solutions.
I found that I was vulnerable. What can I do?
Review your security architecture. There is always a room to improve. Have you considered a Web Application Firewall? IPS solution or DLP? They may not be effective as a stand-alone, but as a multi-layered approach, it could possibly save the day.