A few months after details of the Heartbleed vulnerability surfaced, OpenSSL published a document outlining the project’s various objectives. One of those objectives was met on Sunday with the release of the organization’s first security policy.
The policy provides some information on how OpenSSL handles security issues internally, and what types of organizations get pre-notifications in case serious vulnerabilities are discovered.
Security issues reported privately to OpenSSL are analyzed and rated based on their severity. The level of severity — which can be low, moderate or high — depends on versions affected, use cases, common defaults, but is also determined based on the team’s past experiences. OpenSSL might also contact other individuals and organizations that could be able to provide useful information for the development of patches.
Flaws that affect the openssl command line utility, ones that are difficult to exploit, or ones that rely on unlikely configurations are considered low severity issues, and they will generally be fixed immediately in the latest development versions. They might also be backported to older variants that are still supported. These types of vulnerabilities might not trigger new releases, OpenSSL said.
Moderate severity issues include client application crashes, local flaws, and bugs in protocols that are not used commonly (e.g. DTLS). Such vulnerabilities will be kept private until the next release, which will be scheduled so that it includes fixes for several such issues, the OpenSSL security policy notes.
As for high severity vulnerabilities, they refer to flaws that impact common configurations and are likely to be exploited. The list includes server memory leaks, remote code execution, and server denial-of-service (DoS).
“These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control, and significantly quicker if there is a significant risk or we are aware the issue is being exploited,” OpenSSL noted.
In general, when an update that contains security fixes is about to be released, the “openssl-announce” list will be notified and information will be provided on the release time and date, and the severity of the vulnerability being addressed. This advance notification is designed to help companies make sure that they have staff ready when the patches are published.
“For updates that include high severity issues we will also prenotify with more details and patches. Our policy is to let the organisations that have a general purpose OS that uses OpenSSL have a few days notice in order to prepare packages for their users and feedback test results,” the security policy reads.
Other organizations that don’t fit into this category might also receive pre-notifications, but this privilege may be withdrawn if they don’t provide feedback, corrections, test results, or other information that can be considered of value.
On the other hand, the OpenSSL Project points out that while everyone would like to get advance notifications, the problem is that the more people know about a vulnerability, the higher the likelihood that details about it will get leaked online.
The organization said it previously relied on third parties such as CPNI, oCERT and CERT/CC to handle notifications, but none of them were suitable.
The Heartbleed bug (CVE-2014-0160) has been the most serious OpenSSL vulnerability uncovered so far, and it’s said to have affected more than 600,000 websites. The security hole was leveraged as an initial vector in a recent attack that resulted in 4.5 million patient records stolen, reportedly by a Chinese APT group. In its latest quarterly threats report, McAfee outlined the numerous opportunities Heartbleed has created for cybercriminals.
Since Heartbleed, the OpenSSL Project has patched a total of 16 vulnerabilities in the open source library, nine of which were addressed last month with the release of versions 0.9.8zb, 1.0.0n and 1.0.1i.
Upcoming Webcast: Gaps In SSH Security Create an Open Door for Attackers