April 18, 2014 (16:27 PDT): Symantec has posted a new blog written by our Security Response team titled, "Dr. Strangebug, or How I Learned to Stop Worrying and Accept Heartbleed", which offers a new perspective on the recent Heartbleed vulnerability and tips to minimize your risk. Additionally, we're continuing to update our product matrix daily with the latest Symantec product information. We encourage our customers to keep checking this page and specific product support pages for current information and updates.
April 13, 2014 (15:15 PDT): Symantec has posted a matrix with the latest Symantec product information. We will continue to update this with new information. We encourage our customers to keep checking this page and specific product support pages for current information and updates.
April 11, 2014 (22:35 PDT): Symantec has identified that some of its products may be impacted by the OpensSSL vulnerability, dubbed Heartbleed. We have begun issuing advisories to our customers to alert them and provide mitigation solutions while we work to deploy any necessary patches. To date, we have not seen any malicious exploitation of this vulnerability. We encourage our customers to check specific product support pages, and this page for information and updates as well.
April 10, 2014 (15:15 PDT): Our product teams are continuing their investigations of whether any products are impacted by this vulnerability. We recommend that you check your Symantec product support pages for the latest updates from these teams. You can subscribe to any Knowledge Base (KB) documents on the product support pages to ensure you automatically receive updates with any new information.
April 9, 2014 (21:00 PDT): Symantec is aware of and currently investigating the OpenSSL vulnerability, dubbed “Heartbleed”, which allows attackers to read the memory of the systems using vulnerable versions of the OpenSSL open source library. We will provide updates as they become available.
Situation Overview
Symantec is aware of and currently investigating the OpenSSL vulnerability, dubbed “Heartbleed,” which allows attackers to read the memory of the systems using vulnerable versions of the OpenSSL open source library. This allows access to sensitive information such as private keys of certificates and login credentials, or other personal data.
“Heartbleed”, or the OpenSSL TLS 'heartbeat' Extension Information Disclosure Vulnerability (CVE-2014-0160), affects a component of the OpenSSL library that offers a heartbeat functionality. OpenSSL is one of the most widely used implementations of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols.
More information is available on the Symantec Security Response blog.
Scope of Vulnerability
- This is not a vulnerability with SSL/TLS
- SSL/TLS is not broken, nor are the SSL certificates issued by Symantec
- Users of Open SSL versions 1.0.1 through (and including) 1.0.1f are affected
Product Information
What Symantec products are affected by this vulnerability?
Symantec has posted a matrix with the latest Symantec product information. We will continue to update this with new information. We encourage our customers to keep checking this page and specific product support pages for current information and updates.
If certificates were used on affected servers, should companies revoke and reissue their certificates?
Yes. As the world’s largest Certification Authority, Symantec has already taken steps to patch systems using affected versions of OpenSSL. Additionally, we are following best practices and have re-keyed all certificates on web servers that used affected versions of OpenSSL. We highly recommend that the community at large follow these best practices as well.
Does Symantec charge for revoking and reissuing of its certificates?
While there was never an issue with Symantec Certificates, to address the OpenSSL bug, we will be offering replacements free of charge for our existing customers and the old certificates will be revoked.
Is there any information from Symantec regarding this vulnerability?
An overview of the vulnerability is available on the Security Response blog.
How to Minimize Your Risk
Advice for Businesses
- Check your version of OpenSSL and either:
- (1) Recompile OpenSSL without the heartbeat extension with the -DOPENSSL_NO_HEARTBEATS flag
- (2) Update to the latest fixed version of the software (1.0.1g) if you are using OpenSSL versions 1.0.1 through (and including) 1.0.1f
- After moving to a fixed version of OpenSSL, as part of best practices, contact the certificate’s issuing Certification Authority for a replacement
- Finally, and as a best practice, businesses should also consider resetting end-user passwords that potentially may have been visible in a compromised server memory
Advice for Consumers
- Be aware that your sensitive data such as passwords may have been seen by a third party if the sites you visit used a vulnerable version of the OpenSSL library.
- Monitor any notices from the vendors or companies you use. Once a vendor has communicated to you to change your passwords, do so promptly.
- Watch out for potential phishing emails from attackers asking you to update your password. To avoid going to an impersonated website, stick with the official site domain.
- Stick to reputable websites and services. They are most likely to have immediately addressed the vulnerability.
- Monitor your bank and credit card statements to check for any unusual transactions