Netsurion services and OpenSSL the Heartbleed issue
April 11, 2014
Many of our customers and resellers have asked how Heartbleed affected Netsurion services. In a nutshell, the managed services that make up our product offerings were not directly affected by Heartbleed.
What is Heartbleed?
Heartbleed is the name given to an OpenSSL vulnerability where a service running specific versions of OpenSSL could be compromised by a hacker into revealing protected information in memory.
The end result is that it is possible to uncover security keys so that the secure communication of the system could be compromised. This affected numerous websites around the world.
In addition, hardware vendors such as Cisco and Juniper both announced that they had software and hardware that was affected by the Heartbleed vulnerability.
The Juniper announcement was a cause of concern for us here at Netsurion because we use many of their solutions as part of our managed services. As it turns out, the list of vulnerable products did not include any equipment or software that Netsurion supports as part of our services.
At the time of this article, Juniper had made it clear that they would be working on patches and updates to address the issues posed by Heartbleed in the immediate future.
So does this mean that all customers running Netsurion services can breathe a sigh of relief and ignore the issues posed by Heartbleed entirely?
The short answer is “no”.
While it is true that Netsurion supplied services are not affected by Heartbleed, that does not mean that if you are a customer or reseller of ours that you do not have another system that you use which could be affected by this vulnerability.
For example, LogMeIn is a highly popular tool for remote access and management of workstations. According to their blog article, they were affected by Heartbleed (for the full article click here). They have already created an update to their software that according to them should be implemented to avoid further issues. (They also have other suggestions in a related blog article that should be read as well if you use LogMeIn.)
As a matter of good security, it is necessary to evaluate any service you use on the Internet and discover whether or not it has an issue with Heartbleed.
Before We Go
One last point on this topic has to do with the locations that rely upon Netsurion to manage their Internet connection through the use of our managed firewall services.
As previously stated, our firewalls were not affected by Heartbleed, but the equipment in front of our firewall (the ISP router or modem for example) might have an issue.
To help determine if there is something potentially damaging to the secure environment of our customers, we are already looking for Heartbleed as part of our External ASV Scanning service. We can detect this flaw, and we are currently running a special scan to examine the hosts that have been setup to determine if any of our customers have equipment or services that could be potentially vulnerable to Heartbleed.
As we discover potential issues, we will provide our individual customers and resellers with the information they need to properly manage the affected environments.