While most of the buzz surrounding OpenSSL’s Heartbleed vulnerability focused on websites and other servers, the SANS Institute said software running on PCs, tablets and more is just as vulnerable.
SANS Institute analyst Jake Williams said black hats knew about the data-leaking bug well before its public discovery and disclosure.
Williams – aka MalwareJake – said vulnerable OpenSSL installations on the client side can undergo attacks from malicious servers to extract passwords and cryptographic keys from users’ computers and gadgets, according to a report in The Register.
Williams said a dodgy server could easily send a message to vulnerable software on phones, laptops, PCs, home routers and other devices, and retrieve up to 64KB of highly sensitive data from the targeted system at a time. It’s an attack that would probably yield handy amounts of data if deployed against users of public Wi-Fi hotspots, he said.
Writing code to exploit vulnerabilities in clients is “not going to be that difficult to do,” he said.
Security penetration testers are going to find themselves in work “through 2020” with this bug, Williams said, and noted that it’s going to be hard to identify vulnerabilities in some environments. For example, he said, it’s going to be hard to tell if Windows client programs compiled against vulnerable OpenSSL versions.
And that’s not to mention all the “non-port-443” software that might end up compiled to vulnerable versions of OpenSSL — email servers, databases, LDAP services, and so on.
Williams also said the risk the vulnerability could reveal site certificates means if an attacker has previously recorded encrypted sessions, he or she will now be able to decrypt that traffic.
Worse, he said it’s also feasible what turns up in the leaked memory could give attackers hints at how to take the axe to other software, turning known bugs currently seen as “hard to exploit” into easy kills.
Another issue easily overlooked, he said, is in the cloud. If you’re running VMs in a cloud environment: Admins must find their cloud machines and make sure their code base isn’t Heartbleed vulnerable.
User training is going to be another big issue: End-users are going to have to be trained to check certificate issue dates, to make sure their trusted services (like the bank) have re-issued their certificates.
Then, he added, there are thousands of “shoestring budget” VPN concentrators in smaller businesses that will be vulnerable and probably won’t undergo updates.