Apr 10 2014

SSH Communications Security Comments on Heartbleed Vulnerability

Key Facts: 

  • SSH Communications Security’s products are not affected by the Heartbleed flaw. Customers are advised to patch any server where the vulnerable OpenSSL software is installed.
  • Due to the pervasive nature of the Heartbleed vulnerability, the length of time the flaw has been in place and the broad access that an attacker could potentially obtain, SSH Communications Security is recommending that all Secure Shell keys used to establish trust relationship with affected systems should be changed immediately after the Heartbleed patch has been installed, and should be a part of your organization’s standard remediation procedure.

Background:

The recently announced vulnerability in OpenSSL, called Heartbleed, (CVE-2014-0160) is a serious vulnerability that impacts the majority of webservers in the world, as well as countless other applications using the affected software. Because this vulnerability provides an attacker with direct access to memory stored on the web server, it is possible that certificates, keys, passwords, financial information, customer information and other sensitive data have been exploited.

TLS is a widely used encryption protocol that is commonly utilized by webservers to protect sensitive information while in transit. Because Heartbleed allows an attacker to gain direct access to system memory – and because the logs would show nothing out of the ordinary – all of the data on the server may be compromised, making it difficult to know if an exploit has occurred in the first place. Due to the length of time (two years) this vulnerability has been in existence, organizations should assume that any system running vulnerable OpenSSL software might have been compromised.

For more information on Heartbleed, and to discover the steps required to remediate the vulnerability, please visit heartbleed.com. 

Impact on Secure Shell

  • Heartbleed does not impact the safety of the Secure Shell protocol itself. However, web servers and other hosts typically run both OpenSSL and Secure Shell. This means that if an attacker is able to gain access to the system’s memory, it is possible to steal Secure Shell authentication credentials.
  • Because Heartbleed permits an attacker to gain direct access to the host’s memory, it should be assumed that all Secure Shell authentication credentials stored on the affected host may have been compromised.

Best practices for immediate remediation 

  • Once affected systems have been patched, organizations should immediately rotate any Secure Shell keys and change Secure Shell passwords stored on those systems. Potentially-affected systems with stored Secure Shell user keys (either public or private user keys) should have those credentials rotated (i.e., replaced) with new keys.
  • Any delay in rotating Secure Shell authentication credentials could enable an attacker to yet again access the system or utilize Secure Shell authentication credentials to compromise other network systems and applications.
  • Download a free Secure Shell key scanning tool at http://pages.ssh.com/SRA.html. This will allow you to locate Secure Shell keys on affected systems.
  • Heartbleed may have allowed attackers to create back doors into critical systems. It is critical that organizations monitor their environments for any anomalous activity.

More Information & Customer Support:

For more information or to reach customer support please contact us at:

For general inquiries: http://www.ssh.com/about/contact

For customer support inquiries: https://support.ssh.com

Jason Thompson by Jason Thompson Former Vice President of Worldwide Marketing
Jason served as Vice President of Worldwide Marketing until October 2014.