The Heartbleed Bug

I have been reading through The Heartbleed Bug since it was formally uncovered past week. I have to work with my customers in order to provide information on what all products from VMware have been affected and what should they do in order to mitigate the risk caused by this bug.

History of Heartbleed Bug
The vulnerability was introduced into the OpenSSL-Git-Repository through a good will patch submitted by Robin Seggelmann and reviewed by OpenSSL team on December 31, 2011, and the vulnerable code has been adopted to widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012.

In April 2014, Neel Mehta of Google’s security team reported a bug in all versions of OpenSSL in the 1.0.1 series released since March 14, 2012. The bug entailed a severe memory handling error in the implementation of the Transport Layer Security (TLS) Heartbeat Extension.This defect could be used to reveal up to 64 kilobytes of the application’s memory with every heartbeat.The bug is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160.
The vulnerability has existed since December 31, 2011 and the vulnerable code has been in widespread use since the release of OpenSSL version 1.0.1 on March 14, 2012.

Behavior
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
The bug might also reveal unencrypted parts of users’ requests and responses, including any form post data in users’ requests, session cookies and passwords, which might allow attackers to hijack the identity of another user of the service.At its disclosure, some 17% or half a million of the Internet’s secure web servers certified by trusted authorities were believed to have been vulnerable to an attack.

What about VMware Products
The VMware Security Engineering, Communications, and Response group (vSECR) is investigating the OpenSSL issue and have also published an advisory in the public domain through KB Article

http://kb.vmware.com/kb/2076225

The KB article is frequently updated and contains detailed list of the products which are affected and which ones have not been affected.

Resolution/Mitigation
As per the KB article mentioned above, below is the resolution which VMware recommends.

By deploying vSphere 5.5 (and other relevant VMware products) on an isolated management network, the exposure to CVE-2014-0160 is reduced. Hosting vSphere components directly on the Internet is strongly discouraged. Virtual machines that are exposed to the Internet should be updated in case they are affected. For the latter, refer to the instructions by the operating system provider.
VMware is working on updating its products to remediate the issue. When software updates for CVE-2014-0160 are available, deployment of these updates should be accompanied by replacing certificates and resetting passwords as per best practices. Instructions on how to do this for each affected product will be provided at the same time updates are released.

There have been a patch released by OpenSSL , the current Version 1.0.1g of OpenSSL adds some bounds checks to prevent the buffer over-read. More details can be found on the OpenSSL Git Hub page

http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902

For updated information on the VMware response I suggest that you subscribe to the RSS feed of the KB article at

http://kb.vmware.com/selfservice/microsites/microsite.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2076225&format=rss