OpenSSL Heartbleed bug and Exchange Server vulnerability
There is a news out there about the heartbleed flaw in OpenSSL and how it could affect email servers and web servers on the Internet. Exchange relies on SSL certificates so let’s break this down and ensure our servers aren’t vulnerable to attacks.
Good news is that Windows IIS do not employ OpenSSL hence isn’t affected by this vulnerability. Windows IIS uses SChannel or Secure channel. However, it is important you know how your exchange servers could be vulnerable. Exchange has heavily relied on encryption since Exchange 2007 days and SSL became a mandatory setting since then. SSL offloading was an option we could employ to disable end to end encryption so users could authenticate against the server via a Hardware load balancer where the load balancer possess the ability to decrypt the data and send plain text data back to internal Exchange servers. This could be done for several reasons – you do not want exchange to decrypt the data for performance enhancement (an argument I don’t agree with) or you have an IPS device (Intrusion prevention system) which need to read the data going back and forth inside the network or you simply dictate Exchange server need to have SSL offloaded. Exchange 2013 support SSL Offloading starting SP1. Whatever the case maybe if you have or haven’t enabled SSL offloading it is mandatory for you to check and ensure your Hardware load balancer or firewall devices aren’t vulnerable to this attack and if they are – take preventive steps and counter measures.
To give an example Kemp technologies released an article detailing the specifics of this attack and how to mitigate this for you existing load balancers:
Heartbleed Vulnerability Patch Available: http://forums.kemptechnologies.com/index.php?p=/discussion/20730/heartbleed-vulnerability-patch-available.
Additionally, please refer to the Digicert, Symantec and other documentations on the subject:
Heartbleed: What it is, how it affects you, and what to do about it: http://blog.digicert.com/2014/04/heartbleed-openssl-fix/
Vulnerability Note VU#720951: OpenSSL heartbeat extension read overflow discloses sensitive information: http://www.kb.cert.org/vuls/id/720951
Heartbleed in OpenSSL: Take Action Now!: www.symantec.com/connect/blogs/heartbleed-openssl-take-action-now
To test your servers against heartbleed visit the following links:
Microsoft MVP | Exchange Server