A critical vulnerability in OpenSSL (CVE-2014-0160: OpenSSL Private Key Disclosure Vulnerability) was recently disclosed, which affects servers running OpenSSL 1.0.1 through 1.0.1f, estimated at ”over 17% of SSL web servers which use certificates issued by trusted certificate authorities.” The vulnerability essentially compromises the integrity of SSL encryption, allowing attackers to steal sensitive data from this secure channel.
The vulnerability, also know as the Heartbleed bug, most severely impacts enterprise servers running vulnerable versions of OpenSSL, and in a worst-case scenario could expose end-user communication over SSL encryption.
Palo Alto Networks immediately addressed this vulnerability, ensuring our customers are protected against exploitation of Heartbleed, including the following updates:
- PAN-OS, our core operating system, is not impacted by CVE-2014-0160, as we are not using a vulnerable version of the OpenSSL library
- We released a content update on April 9th, 2014 that automatically detects and immediately blocks attempted exploitation of the vulnerability (IPS vulnerability signature ID 36416)
To be clear, Palo Alto Networks software is not vulnerable, and customers with a Threat Prevention subscription, and their users, are protected from Heartbleed. We advise that all Threat Prevention users ensure they are running the latest content version on their device.
Furthermore, we recommend that all enterprises update their web servers to the latest patched version of OpenSSL available as of April 7, 2014 (1.0.1g), and immediately replace SSL private keys after the patch is in place. Given the close relationships many of you have with your vendors and partners, it is important that you help identify vulnerable systems, and notify partners immediately.
As an end-user, continue to practice good Internet hygiene, such as not accessing public Wi-Fi hotspots, clicking on unknown links in email, or downloading and opening suspicious files.
[Source: Palo Alto Networks Research Center]