Avatar

Ed Paradise, Vice President of Engineering for Cisco’s Threat Response, Intelligence and Development Group

Much has been made of the industry-wide Heartbleed vulnerability and its potential exploitation. Cisco was among the first companies to release a customer Security Advisory when the vulnerability became public, and is now one of many offering mitigation advice.

Those dealing with this issue on a day-to-day basis know it’s not enough to just patch the OpenSSL software library. Organizations also need to revoke and reissue digital certificates for their Heartbleed-vulnerable sites. If your certificates were stored in a Trust Anchor Module (TAM), they are still safe. Otherwise, a few additional steps should be taken to ensure you and your customers are secure:

  1. Patch your OpenSSL software and systems
  2. Change all administrative and user passwords, as they could have been exposed by the vulnerability
  3. Reissue your system certificates from your Certificate Authority (unless they were stored in a Trust Anchor Module)
  4. Install the new certificates
  5. Revoke all old certificates so they can’t be used

With the immediate response currently underway, the security industry is considering the lessons learned and longer-term implications.

Public Key Infrastructure (PKI)-based solutions like TLS/SSL are powerful, but certificate management can be challenging. To help address this, Cisco recently co-authored an IETF Enrollment over Secure Transport (EST) RFC7030 that describes a simple method of managing certificates for PKI clients. You can read more about the standard in this Cisco blog.

On April 7, Cisco also released a reference open source EST library implementation. The workflow for certificate management with EST after Heartbleed recovery is:

  1. Patch your OpenSSL software and systems
  2. Inform the EST module in each device to re-enroll
  3. PKI administrators revoke all outstanding certificates for the vulnerable devices (optionally: if the EST client is configured to immediately use the new certificate this step can be automated)

Each system then securely contacts the PKI to obtain a new certificate. As the Heartbleed vulnerability could have exposed the original private key, it is important to validate the user connecting to the PKI and requesting a certificate. That is why we also highly recommend two-factor authentication using Trust Anchor Modules. In fact, employing the TAM could mitigate the impact of this vulnerability and related impersonation attacks.

Secure communications are critical to protecting customer information, but the additional cost and complexity can be a challenge. That’s another reason why we’re integrating Trusted Anchor Technology in our products. We are also taking a lead role in the IETF working group to develop and release the EST standard reference library to open source.

Security is everyone’s job. Working with our industry partners, Cisco continues to protect our customers and products, by improving system security and reducing the impact of future vulnerabilities.



Authors

Ed Paradise

Cisco RTP Site Executive and Vice President of Engineering