Heartbleed Vulnerability and Exchange Server

A member of a group on LinkedIn posted about a vulnerability in OpenSSL. Some more details are about the bug are documented here very well Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping

When you read OpenSSL, most of you might think it is not something applicable to my exchange environment since Microsoft Exchange doesn’t use OpenSSL anywhere. That may be not be 100% true. Although neither exchange nor windows natively use OpenSSL, this vulnerability still matters to you and needs you to look at if you are running any sort of hardware load balancer, reverse proxy appliance or a virtual appliance to publish exchange over internet or within corporate network.

A lot of load balancing appliances run on Linux based operating systems and do use OpenSSL stack extensively. You should do a double check on all the appliances that use Linux or Unix based operating systems on them.

How to detect Heartbleed

This vulnerability only applies to OpenSSL versions 1.0.1-1.0.1f. Other SSL libraries, such as PolarSSL, are not vulnerable. OpenVPN-NL, which is depending on PolarSSL, is not affected.

To detect whether you are affected by heartbleed you can use either of below tools

  • http://filippo.io/Heartbleed/ : a web based tool to test and identify the vulnerability. Just enter the name of the website you want to test, in exchange server’s case; it would be OWA/ EAS/EWS /OAB, etc URLs published on internet.
  • http://s3.jspenguin.org/ssltest.py : a python script to test for the vulnerability from the command line. If you want to scan multiple sites you can use a modified version with easily parseable output.
  • If you use Chrome you can install the Chromebleed checker that alerts you when visiting a vulnerable site.
  • To see whether your load balancing or reverse proxy appliance uses a vulnerable version of OpenSSL login to the appliance with and run openssl version if the version

Fix

OpenSSL has provided an updated version (1.0.1g) of OpenSSL at https://www.openssl.org/source/. It is recommended to consult your appliance manufacturer to find out the update procedure and implications of update before simply going ahead and applying the fix.