SB-1 2014-04-09 OpenSSL “Heartbleed” vulnerability

Service bulletin: SB-1 Date: April 8, 2014

The OpenSSL security library has been found to be vulnerable to an attack that retrieves memory from server processes, including private key data and cookie session IDs. The attack is straightforward and leaves no logs. OpenSSL is the most common library used to implement SSL/TLS encryption, and this flaw affects millions of servers and websites around the world. OpenSSL is used within SD-WAN for various security purposes. The bug is known as Heartbleed and is described below.

Affected hosts

• Management servers

Solution

We took these steps to solve the vulnerability:

1. We upgraded management servers after 7 PM PST on April 8, 2014. This did not impact bonded customer traffic. The updated version of the management server package is 2014.1-6.

2. We regenerated keys used by the SD-WAN web server.

3. For sites using self-signed SSL certificates, the certificates were recreated. Users received a browser SSL warning the next time they visited the site.

4. For sites using properly signed SSL certificates, we sent the partner an updated Certificate Signing Request and worked with the partner to update the certificate.

Bonders and aggregators use OpenSSL, but never in TLS server mode with affected versions of the library. As such, node keys do not need to be regenerated.

References

• http://heartbleed.com/

• https://www.openssl.org/news/secadv_20140407.txt

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160