The OpenSSL Heartbeat Vulnerability: Forgotten Attack Vectors

The web is abuzz with reports of the OpenSSL Heartbeat vulnerability. It’s not an understatement to say that this is the most serious vulnerability to come along in several years. There are many good write-ups about it and I don’t need to repeat them here, but the bottom line is that sensitive information like oh, usernames and passwords can be remotely scraped from sites like, oh, your bank. And there is no log to indicate that it happened.

So while everyone focuses on getting their web servers patched, I wanted to point out a few areas where people may not be looking:

  • Mail servers use SSL to send mail and deliver it to you. If you run a mail server, patch your system and restart your mail services.
  • Windows servers don’t just run IIS. They run Apache, too. Sometimes vendors bundle Apache and/or OpenSSL with their applications and start an administrative interface on high-numbered ports.
  • Proxy servers, especially those that do SSL-interception, may be vulnerable.
  • SSL-based VPNs are ripe for the picking.
  • Embedded devices may use OpenSSL. A lights-out remote management style device would be another juicy target for attackers.

After you have your publicly-facing web site patched, think laterally. There’s more to this than meets the eye.

Posted in Encryption, Incident Response, Risk Management, Vulnerabilities

Leave a Reply

Your email address will not be published. Required fields are marked *

*