+1-202-802-9399 (US)

Thycotic’s Cyber Security Publication

Infamous Heartbleed Bug Responsible for Over 4.5 Million Patient Records Leaked

September 9th, 2014

Heartbleed continues to haunt the organizations as patch efforts remain ignored. In April we notified our customers that our solutions remained unaffected, but unfortunately for millions that was not the case. Over six months later a data breach at Community Health Systems is the result of the infamous Heartbleed vulnerability that several versions of OpenSSL are vulnerable to. CHS filed a report stating that it believes the attack occurred between April and June of 2014. After discovering the breach, the company hired Mandiant to perform an investigation, which revealed that the attack seemed to have come from China. TrustedSec states in a blog post that according to “a trusted and anonymous source close to the CHS investigation”, the attackers exploited the Heartbleed vulnerability and gained user credentials via a network device and logged into a VPN.

As a reminder of what the Heartbleed vulnerability is, US-CERT provides a detailed description: OpenSSL versions 1.0.1 through 1.0.1f and beta versions of 1.0.2 contain a flaw in their TLS/DTLS heartbeat functionality that allows attackers to retrieve the private memory used by an application running a vulnerable OpenSSL version. The memory is returned to the attacker in 64kb chunks, but the attack can be done repeatedly to gather large amounts of memory over time. It can contain usernames, passwords, information about running services, and other sensitive data that gives attackers an idea of what else they can exploit on the victim’s machines.

The first thing one should do is check if using a vulnerable version of SSL. Open source web servers such as Apache are important to check, as well as Linux distributions that have not been updated since installation – the following Linux distributions came with pre-installed versions of OpenSSL that are now deemed as vulnerable:

  • Debian Wheezy (stable)
  • Ubuntu 12.04.4 LTS
  • CentOS 6.5
  • Fedora 18
  • OpenBSD 5.3
  • FreeBSD 10.0
  • NetBSD 5.0.2
  • OpenSUSE 12.2

If any of the above-mentioned operating systems still have vulnerable versions of OpenSSL, they need to be updated as soon as possible. The version of SSL on Linux distributions can be checked with the terminal command “openssl version -a”, but updating it to the latest version is a process that varies based on your operating system. All package managers should share the same basic procedure for updating it – the standard “update” and “upgrade” commands apply here.

After updating OpenSSL, any certificates of the server that was patched need to be revoked and replaced. Because the server was running a vulnerable version of OpenSSL, any and all passwords of accounts on the network need to be changed. Heartbleed has been a vulnerability for almost two years despite being disclosed to the Internet in April 2014; attackers have had plenty of time to gather information about the networks of their victims, so it is good practice to simply change all passwords on the network just to be safe.

Once OpenSSL is updated to the latest version and there are new SSL certificates in place, your website should be safe from further exploitation of the Heartbleed vulnerability. A brief note about older versions: the fix was actually deployed to older versions of OpenSSL for users whose infrastructures/operating systems would have problems. In this case, so long as you have updated appropriately, you may still have a version of OpenSSL that is on the “vulnerable versions” list – however, you actually have the update to protect from HeartBleed. This is why it is important to thoroughly check if you are vulnerable, such as by using a number of free testers on the web. Besides checking your own server, it is a good idea to test the sites you associate with such as partners and cloud service providers – your login credentials that travel to those sites are not safe unless those companies have patched their servers as well.


The following two tabs change content below.

Thycotic Team

We deploy smart, reliable, IT security solutions that empower companies to control and monitor privileged account credentials and identities.

Leave a Reply