April 11, 2014 – The Federal Financial Institutions Examination Council released an alert Thursday urging credit unions and banks to take steps now to mitigate the “Heartbleed” issue, which the regulators termed a “material security vulnerability” affecting Web servers using OpenSSL.OpenSSL is an open-source implementation of the secure sockets layer (SSL) and transport layer security (TLS) protocols commonly used to protect data in transit. The “Heartbleed” vulnerability, reported by researchers April 7, means an attacker could access a server’s private cryptographic keys, “compromising the security of the server and its users,” the FFIEC wrote. This flaw in OpenSSL versions 1.0.1 through 1.0.1f. has existed since Dec. 31, 2011, the alert says.The alert adds, “An attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network communications that would otherwise be protected by encryption.”The notice urges regulated institutions to:
The alert also suggests replacing private keys and X.509 encryption certificates after applying patches and says financial institutions should assume current encryption keys for vulnerable servers are no longer viable. Institutions should “strongly consider” having users and administrators “change passwords after applying the OpenSSL patch,” the alert says.