Menu
Reverse Heartbleed puts your PC and devices at risk of OpenSSL attack

Reverse Heartbleed puts your PC and devices at risk of OpenSSL attack

A password management service discovers that the Heartbleed bug can be used to target individual users.

The Internet has been abuzz for the last week or so in response to the Heartbleed vulnerability in OpenSSL. While almost all of the attention has centered on patching Web servers and advising users to change their passwords, security researchers have discovered that individual client PCs and devices are also at risk thanks to "Reverse Heartbleed."

Meldium, a Cloud identity and access management service, shared details of the Reverse Heartbleed threat in a blog post. An attacker can exploit Heartbleed to expose sensitive data on vulnerable servers, but that's not the only attack possible using this flaw. The "heartbeat" used in the Heartbleed attack can be initiated by either the client or the server, so a malicious server can also send bad heartbeat packets to an OpenSSL client to extract data.

"It's the popularity and pervasiveness of the OpenSSL library that makes this vulnerability difficult to remediate fully," said Tim Erlin, director of IT security and risk strategy for Tripwire. "While popular Web applications may be already patched, the myriad of appliances, embedded devices, and network infrastructure that may be vulnerable will take a lot longer to address. You can't just disable the Internet for maintenance."

OpenSSL is a widely-used implementation of SSL, used in a diverse array of devices to secure Internet communications. Websites and online services are working diligently to patch and update in response to the Heartbleed threat, but browsers, applications, and connected devices that rely on OpenSSL are also potentially vulnerable to Heartbleed and/or Reverse Heartbleed. For example, both Cisco and Juniper have acknowledged that many of their home routers and networking devices are vulnerable.

According to Meldium, the server-initiated Reverse Heartbleed attack is slightly more difficult to successfully exploit for a few reasons. For instance, it can only be attempted once the TLS connection has been established. There are security controls used by some clients that will detect that the server certificate doesn't match and abort the connection.

Meldium advises the same mitigation and remediation for Reverse Heartbleed as for Heartbleed, but stresses, "The important takeaway is that it's not enough to patch your perimeter hosts--you need to purge bad OpenSSL versions from your entire infrastructure."

The same holds true for individual home users. You should check with the developer or vendor for any software or devices that connect to the Internet to determine if they rely on OpenSSL and whether or not there is a patch available. Refrain from using any affected applications or devices, and apply any updates as soon as possible.

Meldium has created a Reverse Heartbleed Tester you can use to determine if you're vulnerable.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags network securityTripwireInternet of ThingsHeartbleedMeldium

Brand Post

What to expect from your IT Distributor

Whether you’re just starting out or you’ve been around since before the dot com rollercoaster, choosing the right distribution partner can be a pivotal factor in your success. This definitive guide outlines the traits that every IT partner needs to look for in their IT Distributor.

Featured

Slideshows

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Meet the winners of the 2020 Reseller News Innovation Awards

Meet the winners of the 2020 Reseller News Innovation Awards

Reseller News honoured the standout players of the New Zealand channel in front of more than 500 technology leaders in Auckland on 21 October, recognising the achievements of top partners, start-ups, vendors, distributors and individuals.

Meet the winners of the 2020 Reseller News Innovation Awards
Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Show Comments