Essent Customers Safe from “Heartbleed Bug”
A critical vulnerability in an implementation of TLS/DTLS (transport layer security protocols) in the OpenSSL cryptographic library was identified and publicly disclosed on April 7th, 2014. OpenSSL is widely used in open source operating systems such as Linux but is not as commonly used in commercial operating systems like Microsoft Windows.
Essent Service Impact Analysis
Essent was aware of this problem from its inception and immediately took action to verify none of our offerings or Facility Management Support (FMS) service subscribers were vulnerable.
Essent software products and services do not use affected OpenSSL. All business and commerce products including Compass, SiteBuilder, PunchOutNow, Direct2Decoration, and OrderTrax are not affected. The Essent Commerce Cloud™, and by extension its users, does not use OpenSSL and is not directly affected by this vulnerability. Essent security products, like The Netset™ Network Security Appliance, that do use OpenSSL do not run a version that has been identified as vulnerable to the Heartbleed bug.
This vulnerability, which has been assigned CVE identifier CVE-2014-0160 and is also known as the "Heartbleed Bug," allows anyone on the Internet to read the memory of systems protected by vulnerable versions of the OpenSSL software. This issue is considered extremely critical due to its impact, long exposure (2+ years), ease of exploitation, the absence of application logs indicating an exploit attempt and the widespread availability of exploit code.
The flaw resides in the OpenSSL implementation of the TLS/DTLS (Transport Layer Security) protocols' heartbeat extension (RFC6520) due to a missing bounds check. This vulnerability reveals 64KB of memory per request to a connected client or server. An attacker can keep reconnecting or can keep requesting an arbitrary number of 64KB chunks of memory content during an active TLS connection until they have achieved their objectives.
The vulnerability is not due to the design of the protocol but rather the implementation of it in software. The vulnerability was discovered by a member of the Google Security team and by a team of security engineers at Codenomicon. Proof-of-concept (PoC) code to exploit this vulnerability exists. OpenSSL versions 1.0.1 through 1.0.1f (inclusive) and version 1.0.2-beta are vulnerable; branches 1.0.0 and 0.9.x are not vulnerable.