CERT Researchers' Take on the Heartbleed Bug
The recent discovery of the Heartbleed bug has been well publicized. The Heartbleed bug is a serious vulnerability in the OpenSSL cryptographic software library. This weakness enables attackers to steal information that, under normal conditions, is protected by the SSL/TLS encryption used to secure the internet.
The OpenSSL Heartbleed bug is an important vulnerability that is affecting the internet. Updating to fixed versions of affected software is only part of the solution. From system administrators to end users, we all are likely impacted in some way.
—Will Dormann, CERT Vulnerability Analyst
Read the Q&A Blog Post by Will Dormann
In a blog post from May 12, 2014, Will Dormann answers questions related to the Heartbleed vulnerability such as Heartbleed and its aftermath left many questions in its wake:
- Would the vulnerability have been detected by static analysis tools?
- If the vulnerability has been in the wild for two years, why did it take so long to bring this to public knowledge now?
- Who is ultimately responsible for open-source code reviews and testing?
- Is there anything we can do to work around Heartbleed to provide security for banking and email web browser applications?
Listen to Our Webinar: "A Discussion on Heartbleed: Analysis, Thoughts, and Actions"
On April 25, 2014, technical staff from the SEI and Codenomicon discussed the impact of the recently announced Heartbleed OpenSSL vulnerability along with methods to mitigate and even prevent crises like this in the future.
Chris Clark, Security Engineer from Codenomicon, one of the cybersecurity organizations that discovered the Heartbleed vulnerability, joined technical staff members from the CERT and Software Solutions divisions of the SEI and the SEI's Information Technology department. Panelists discussed how software vulnerabilities like Heartbleed can be mitigated through the different phases of the secure software lifecycle using techniques available today. They also discussed how changes to our current software development and management techniques need to be managed to more effectively reduce the effects of incidents like Heartbleed.
Register to listen to a recording of the webinar.
- Will Dormann has been a software vulnerability analyst with the CERT Coordination Center (CERT/CC) since 2004. His focus areas include web browser technologies, ActiveX, and fuzzing. Will has discovered thousands of vulnerabilities using a variety of tools and techniques.
- Robert Seacord is a senior vulnerability analyst in the CERT Division at the SEI, where he leads the Secure Coding Initiative. Robert is the author of The CERT C Secure Coding Standard (Addison-Wesley, 2014) and Secure Coding in C and C++ (Addison-Wesley, 2002) as well as co-author of two other books. Robert is an adjunct professor at Carnegie Mellon University.
- Christopher Clark, a twenty-two year veteran of the Information Technology world, is a Security Engineer at Codenomicon, the world's leader in "Fuzzing". Chris utilizes his extensive background and experience to help organizations effectively integrate meaningful security practices into their environments.
- Brent Kennedy is a member of the CERT Cyber Security Assurance team focusing on penetration testing operations and research. Brent leads an effort that partners with the DHS National Cybersecurity Assessments and Technical Services (NCATS) team to develop and execute a program that offers risk and vulnerability assessments to federal, state, and local entities.
- William Nichols joined the SEI in 2006 as a senior member of the technical staff and serves as a Personal Software Process (PSP) instructor and Team Software Process (TSP) Mentor Coach with the TSP Initiative within the Software Solutions Division at the SEI.
- Jason McCormick has been with SEI Information Technology Services since 2004 and is currently the Manager of Network and Infrastructure Engineering. He oversees datacenter, network, storage, and virtualization services and plays a key role in information security policy, practices, and technologies for the SEI.
There is no one-size-fits-all solution here; unfortunately, organizations will have to make decisions based on their own risk tolerances and costs.
—Jason McCormick, CERT Manager of Network and Infrastructure Engineering
Get the Latest Information
The vulnerability note VU#720951, OpenSSL Heartbeat Extension Read Overflow Discloses Sensitive Information, was released on April 7, 2014. Vulnerability notes are living documents that are maintained by CERT researchers. This note lists which vendor sites are affected by the vulnerability and which vendors have posted patches.
Media Coverage of the Heartbleed Bug
The following is a partial list of articles and blog entries that our researchers contributed to.
Heartbleed Flaw Lingers Due to Shaky Response
The Morning Download: Heartbleed Hits Routers, Switches, Firewalls—and CIOs
(The Wall Street Journal)
Heartbleed: Now Comes the Hard Work of Damage Assessment
(the Wall Street Journal)
'Heartbleed' Mystery: Did Criminals Take Advantage of Cyber-Security Bug?
(The Christian Science Monitor)
Heartbleed Bug Could Bleed Millions of Usernames, Passwords
Heartbleed Vulnerability: Change Your Passwords
(Fox News, St. Louis Affiliate)
Heartbleed Bug Puts Millions of Online Accounts in Jeopardy
Heartbleed Will Go On Even After the Updates
Determining Heartbleed Exfiltration
(Data Breach Today)
What Heartbleed Means for Newsrooms
(The ProPublica Nerd Blog)
How to Treat the Heartbleed Bug
(Bank Info Security)
Heartbleed Bug: What You Need to Know
(Bank Info Security)
DHS Evaluating Heartbleed Impact
For More Information
For more information about this vulnerability, see the Heartbleed Bug website.
Read Answers to Common Heartbleed Questions
Will Dormann answers questions related to the Heartbleed vulnerability.
Listen to Our Heartbleed Webinar
Listen to technical staff from the SEI and Codenomicon discuss the impact of the Heartbleed bug.
Read Up-to-the-Minute News
Our researchers created a vulnerability note about the Heartbleed bug that records information about affected vendors as well as other useful information.