Considering that SSL protocols, including OpenSSL, are used anywhere machines have to communicate securely with each other, Heartbleed isn’t just a problem for Web servers. The vulnerability is present in client software running on PCs and Android tablets, as well.
For example, many routers and other networking equipment come with built-in Web servers to run the administrator interface. Those mini Web servers frequently use OpenSSL, making these devices vulnerable to attack. An unauthenticated, remote attacker could exploit the flaw to retrieve information stored in memory from a connected client or server, Cisco Systems said in an advisory.
“This bug affects routers, switches, operating systems, and other applications that support the protocol in order to authenticate senders and receivers, and to encrypt their communications,” Avivah Litan, vice-president and analyst with Gartner, wrote in a blog post. This means none of the “trusted communications traffic” between machines using OpenSSL could actually be trusted, which has a far greater impact than just how individuals interact with secure Websites, Litan said.
SANS Institute’s Jake Williams echoed the warning in a presentation, noting that attackers can direct users running vulnerable client-side applications to malicious servers and extract passwords and cryptographic keys.
A malicious server could easily send a message to vulnerable software on phones, laptops, PCs, home routers and other devices, and retrieve small chunks of sensitive data from the targeted system, Williams said. Android devices running JellyBean can be targeted.
“Not sure what this means for Chromebooks,” Williams wrote in the presentation.
Attackers could possibly harvest significant amounts of data from users connected to public Wi-Fi hotspots, Williams suggested. Third-party applications using Python, Perl, and Ruby OpenSSL libraries may be vulnerable, as well as various Windows applications using OpenSSL, such as OpenVPN and other VPN software.
“We need to get used to the fact that we can’t trust the protocols that secure data in transit over public and private Internet networks,” Litan said. “ Until now that was the one area that looked relatively safe, at least to me.”
Fahmida Y. Rashid is an accomplished security journalist and technologist. She is a regular contributor for several publications including iPCMag.com where she is a networking and security analyst. She also was a senior writer at eWeek where she covered security, core Internet infrastructure and open source. As well, she was a senior technical editor at CRN Test Center reviewing open source, storage, and networking products.