[Last updated May 5th 2014]
What is heartbleed?
Heartbleed is a vulnerability in the OpenSSL library used by many products and servers to secure web-based traffic. The vulnerability allows small chunks of memory to be exposed, which could include information such as user passwords or the private keys of the server.
What do I need to do as a user?
There are several lists which track the status of popular sites and what action you should take. You’ll need to change the passwords for at least some sites you use. But in general, you should be using strong and unique passwords for every site you visit. Then if your password for one site is compromised, the damage is limited to that site. Tools such as 1Password and Last Pass can help you generate and safely store these passwords.
What do I need to do as a web server administrator?
If you run a web server that is accessible via the internet, you will need to check if you are using one of the affected versions of OpenSSL. If you are, you’ll need to update the software and potentially regenerate server keys and reset passwords. The EFF has a good guide to the steps. Even if the server is only accessible on an internal network, you should at least make sure that the patched version of OpenSSL is installed.
What do I need to do as a system administrator?
OpenSSL is not only used on servers but also on many devices and applications which provide a secured web interface. You will need to catalogue your devices and applications, prioritising those connected to the internet such as routers and remote access devices. Then check with each manufacturer to see if your device is affected and whether an update is available. The Heartbleed bug was introduced about two years ago so older devices are less likely to be affected unless they have been more recently patched.
Here are the results for some of the products we commonly install for customers. If you need any assistance checking or patching products, please get in touch.
VMware
The affected products and patches are listed in Security Advisory VMSA-2014-0004.7. Most SMEs will only be affected if they have already upgraded to ESXi 5.5 and vCenter 5.5 – prior versions of these products are not affected.
Equallogic
Dell Equallogic storage arrays running version 7 firmware are affected. A patch was released on April 23rd 2014 and is available through the Dell customer support site.
Sonicwall
Dell Sonicwall firewalls are not affected but Analyzer 7.2 (formerly known as Viewpoint) is affected.
Dell
Most other Dell products typically used by SMEs are not affected. Check the full list on their remediation page.
HP
A number of HP server products are vulnerable to Heartbleed, most significantly the System Management Homepage on Linux and Windows. Note also that running a Heartbleed vulnerability scanner against some iLO versions can cause iLO to lock up requiring a full server power cycle to resolve. A patch is available.
Cisco
A number of Cisco products are affected. Their advisory page is being updated with information and fixes as they become available.
Checkpoint
Checkpoint products are largely unaffected. Checkpoint Mobile VPN for iOS and Android need to be updated.
Veeam
Veeam Backup And Restore is not affected.
NetillaOS
NetillaOS, used in the AEP and now Northbridge Secure remote access devices, is not affected.
Trend Micro
Trend Micro products are for the most part not affected. The exception is Deep Security Relay for which a patch is available.
AVG
AVG’s information is still unclear but it is believed not to be affected.
Symantec
Symantec has a wide product portfolio so unsurprisingly a few are affected. The most common Symantec products we see in use at SMEs – Backup Exec, DLO and Enterprise Vault – are however not affected. Some Norton antivirus products are theoretically affected but the risk is very low. As long as your Norton products are being kept up to date, signature files and updates will automatically be installed to mitigate and resolve the issue.
Microsoft
Microsoft does not use OpenSSL so it is believed that none of their cloud or server products are affected.
Novell
Most core Novell products are not affected apart from some versions of File Reporter and Storage Manager. openSUSE 12.3 and 13.1 are affected and need to be patched but older Suse versions are unaffected.