The last couple of weeks have brought us news of a critical vulnerability in the open source OpenSSL library, which is used by a very large number of servers to provide secure communication via SSH and other mechanisms.
I won’t rehash the intricacies behind it. Several others such as IOActive have done a great job detailing the issue. Wikipedia also has a good article. Basically a failure to check bounds for incoming packets allows an attacker to get 64kB of memory from a server, all without any logs indicating. The region of memory given to an attacker may contain anything including private keys, which would allow someone to access the server and do anything. It is also possible to impersonate the server and do all kind of things.
A lot already has been said. The bug was introduced over 2 years ago and the community is wondering who might have known and exploited it. Many have scurried along and fixed their servers. CloudFlare issued a challenge to see whether someone could recover their private keys and succeeded, meaning the attack is real and it is devastated.
But, as always, Embedded systems running Linux that provide SSH access are vulnerable if they use the affected OpenSSL libraries. Millions of routers might be affected, although the good news is that most people do not enable SSH access from the outside, making the attack not possible without using other vectors.
But what about embedded Systems in other networks that are not routers? Linux is used by millions of these devices and usually SSH provides a very convenient way to configure a deployed system. Updating the firmware on these devices can be a nightmare or even impossible in some cases.
Aside from fixing the OpenSSL library new certificates must be generated and used. The number of embedded devices can make this very difficult or impossible to manage, especially if they don’t have update capabilities. As always, small embedded devices fare the worst when these kind of issues come up. Considering that the IoT intends to connect all of our devices, we really have to ensure that our fixes to these kind of issues can scale.
No doubt, we will feel the impact of Heartbleed for a while.