Organizations struggling to fix their infrastructures to cope with the impact of the OpenSSL Heartbleed vulnerability will also have to shore up their BYOD devices, which are also vulnerable. Both Android and iOS are threatened.
Cisco's AnyConnect for iOS, and the JunOS Pulse (Mobile) for iOS version 4.2R1 to 5.0R2 and higher from Juniper Networks are on ISC SANS's list of vulnerable clients. The JunOS app is vulnerable only when it's in FIPS mode. Juniper's Pulse (Mobile) for Android version 4.2R1 to 5.0R3 is also on the ISC SANs list. Both companies have issued fixes.
More about the flaw
The problem is a missing bounds check in the handling of OpenSSL's TLS Heartbeat extension. The OpenSSL Project released a fix shortly after news of the vulnerability broke.
Remediation requires a code rewrite or extraction of the code and replacement with new code; working with certificate authorities to issue new SSL/TLS server certificates, since all existing ones should be considered compromised; updating all services; and deploying patches on end points.
Only Android 4.1.1 is vulnerable to the flaw, Google said. It is distributing patching information for that to its partners. Attackers can steal users' private keys and passwords, as well as usernames, instant messages, emails, and business-critical documents and messages.
"Organizations may be vulnerable from security challenges such as 'Reverse Heartbleed,' where a malicious server can send a malformed heartbeat packet to an end point or device that is vulnerable," says Jeff Debrosse, Websense's director of security research.
Defending against Heartbleed
There is little point in waiting for Google's partners -- the manufacturers and wireless carriers -- to roll out the Android fix as they have their own schedules, and the wise IT person will launch remedial action right away.
"I would hope that mobile carriers are blocking the heartbeat messages to protect their customers, but I don't know if that's happening," says Jeremy Epstein, associate editor-in-chief of IEEE Security & Privacy Magazine and senior computer scientist with SRI International.
IT should first patch major Internet-edge devices and systems, and update the enterprise's intrusion prevention systems and firewalls, advises Dan Ingevaldson, CTO at Easy Solutions. "Automated Heartbleed attacks are already common and will continue for years," he warns. "It is safe to say that these automated scans will be quite effective at finding any remaining vulnerable systems. Effective IPS blocking will provide some degree of protection while other vulnerable systems can be identified and patched."
Organizations "should conduct a risk assessment to see which devices have access to the corporate network so that they know all of the potential attack vectors that need protection," says John Miller, Security Research Manager at Trustwave. "Segregating BYOD and corporate-controlled infrastructure is a standard best practice."
IT should use network access controls that can validate security to enforce minimum requirements on BYOD equipment, and isolate poorly secured devices for more protection, Miller suggested. Placing network monitoring and intrusion detection systems between BYOD and corporate networks will help identify attacks originating from BYOD devices.
Making the case for MDM
Organizations with MDM solutions can granularly control access to corporate resources, Dubrosse says. This can be tied to policies that can be changed over time as security is upgraded.
"If an organization isn't using a centralized policy management and enforcement solution, BYOD management will be a very difficult task, and new security concerns will exponentially increase that difficulty," Dubrosse warns.
To sum up: Secure the edge of the corporate network, then discover which devices need protection, and protect them. This problem isn't going away any time soon.
Has Heartbleed had any effect on you or your business yet? Let us know in the comments.