Revenue Canada’s IT staffers continue to plow through the department’s servers to see if any personal information or passwords have been accessed after the discovery of the OpenSSL cryptographic vulnerability.
The department said people will be unable to file online tax returns before the weekend as it scours its systems. One Web server belonging to another department, Employment and Social Development, that acts as a portal to the tax filing service has also been closed.
However, security experts say they’re unlikely to find anything because unlike malware that inserts itself into a system, the vulnerability is essentially an open door — if an attacker knows where to look, data can be copied.
“That’s the difficult part of this vulnerability,” says Kevvie Fowler, a partner in the security advisory service of KPMG Canada. “There’s not a way of knowing” if information has been disclosed. And, he noted, this vulnerability has bee there for two years. A security researcher only discovered it recently and put out the word on Monday.
The vulnerability is in the OpenSSL library versions 1.0.1 through 1.0.1f library released in March 2012 that allows an attacker to trick an affected server into disclosing a large part of what’s in memory. According to the U.S. Community Emergency Response Team (CERT) an attacker can repeatedly leverage the vulnerability to increase the chances that a leaked chunk contains the intended secrets. The sensitive information that may be retrieved using this vulnerability include:
- Primary key material (secret keys)
- Secondary key material (user names and passwords used by vulnerable services)
- Protected content (sensitive data used by vulnerable services)
- Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)
“The reason why this is so catastrophic is it affects a large number of deployments – things from security appliances to Web sites to you name it,” said Fowler. “There’s a lot of organizations I’m sure that are running software that’s vulnerable to this version of OpenSSL, which is bundled with a lot of other applications and platforms.”
After identifying the software organizations have to update their version of OpenSSL to 1.0.1g, then generate new public and private SSL encryption keys, and then update their security certificates, he said. Only after doing that can they advise partners, customers and subscribers who may use the system for access to change their passwords.
Experts are warning the public they should only change passwords after being assured by a Web site that it has gone through all those steps. If new encryption keys haven’t been generated merely updating OpenSSL won’t close the door.
Meanwhile Web sites and vendors around the world are scrambling to ensure their products and services aren’t vulnerable. At network equipment maker Juniper Networks, for example, the company blogged that several product teams worked “round the clock to ensure that customers get updates on highest priority. As of a short while ago, Junos Pulse Connect Secure (VPN) and Policy Secure (UAC) released patches that would fix the vulnerability for its mobility offering.”
Cisco Systems Inc. advised customers that many products incorporate a version of the OpenSSL affected by the vulnerability that could allow an attacker to retrieve memory in chunks of 64 kilobytes. It said updates will be available to fix the problem.
Red Hat said the issue does affect Red Hat Enterprise Linux 6.5, Enterprise Virtualization Hypervisor 6.5 and Red Hat Storage 2.1, and advised customers to upgrade their OpenSSL to newer versions. Ubuntu issued a notice for updating versions 13.10, 12.10 and 12.04.
VMware has acknowledged that a large number of its products are vulnerable including ESXi 5.5, vCenter Server 5.5 and a number of versions of the virtual desktop applications Horizon View, Horizon View Client and Horizon Workspace. For the time being the issue can be mitigated by deploying affected products on an isolated management network, the company says. Its Socialcast enterprise software as a service social networking platform was affected, but has been fixed.
Amazon issued a statement Monday saying all of its load balancers affected have been updated, and issues in its CloudFront content delivery service have been mitigated. However, it warned that customers using OpenSSL on their own Linux images on EC2 should update their images.
In an interview Rebecca Rogers, Revenue Canada’s director of communications, said the sites were closed Tuesday as a precaution after the department learned of the vulnerability. She couldn’t comment on whether any there is any evidence of data access, saying there is an ongoing investigation.
The tax department won’t penalize online tax filers for sending in their returns after the April 30 deadline for the several days because of this week’s shutdown.
For more information, check the Web site of the U.S. Community Emergency Response Team (CERT).