Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Akamai Reissuing SSL Keys After Flaw Found in Heartbleed Mitigation

Akamai Technologies admitted custom code thought to protect against the Heartbleed vulnerability has a flaw of its own and has forced the company to reissue SSL certificates and keys to its customers.

Akamai Technologies admitted custom code thought to protect against the Heartbleed vulnerability has a flaw of its own and has forced the company to reissue SSL certificates and keys to its customers.

Last week, Akamai Technologies Chief Security Officer Andy Ellis blogged that while the company had been exposed to the vulnerability, its custom memory allocator protected against nearly every circumstance by which Heartbleed could have leaked SSL keys. However, recent findings by an independent security researcher forced the company to backtrack.

“Over the weekend, an independent security researcher contacted Akamai about some defects in the software we use for memory allocation around SSL keys,” blogged Ellis. “We discussed Friday how we believed this had provided our SSL keys with protection against Heartbleed and had contributed the code back to the community. The code that we had contributed back was, as we noted, not a full patch, but would be a starting point for improving the openssl codebase.” 

“In short: we had a bug,” Ellis added. “An RSA key has 6 critical values; our code would only attempt to protect 3 parts of the secret key, but does not protect 3 others. In particular, we only try to protect d, p, and q, but not d mod (p-1), d mod (q-1), or q^{-1} mod p. These intermediate extra values (the Chinese Remainder Theorem, or CRT, values) are calculated at key-generation time as a performance improvement. As the CRT values were not stored in the secure memory area, the possibility exists that these critical values for the SSL keys could have been exposed to an adversary exploiting the Heartbleed vulnerability. Given any CRT value, it is possible to calculate all 6 critical values.”

The issue was found in Akamai’s code by security researcher Willem Pinckaers. As a result of the finding, the company is rotating all customer SSL keys/certificates. Some of these certificates will quickly rotate, while others will require extra validation with the certificate authorities and may take longer.

Since the bug’s public disclosure last week, researchers have confirmed that the vulnerability does allow attackers to steal a Web server’s private SSL keys. While it remains unclear how extensively the two-year old bug has been exploited, authorities in Canada said Monday that as many as 900 Canadian taxpayers had their data stolen due to a Heartbleed attack. 

“This is indeed one of the worst vulnerabilities in the history of the web,” said Amit Sethi, technical manager at Cigital. “It has been present in OpenSSL for over two years, during which time it has made it into a lot of software. Unlike many other vulnerabilities in SSL implementations that we have heard about in recent years, this one does not require the attacker to be positioned between your computer and the server. The attacker can go directly to the server and get any information that you recently exchanged with it over a secure channel.”

According to Symantec, none of the websites in Alexa’s top 1,000 websites is currently vulnerable. Within the Alexa top 5,000, only 24 sites were vulnerable as of April 12. Within the top 50,000, only 1.8 percent of the sites are susceptible to Heartbleed.

“On the positive side, high-profile websites have been addressing the issue very quickly either by fixing it or by taking down their applications while they create a mitigation plan,” Sethi said. “On the negative side, we may never know the full extent of the information that might have been stolen. We will likely see various attacks that use the stolen information in the days and weeks to come.”

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.