April 11, 2014

FFIEC urges CUs, banks to address 'Heartbleed' issue

April 11, 2014 – The Federal Financial Institutions Examination Council released an alert Thursday urging credit unions and banks to take steps now to mitigate the "Heartbleed" issue, which the regulators termed a "material security vulnerability" affecting Web servers using OpenSSL.

OpenSSL is an open-source implementation of the secure sockets layer (SSL) and transport layer security (TLS) protocols commonly used to protect data in transit. The "Heartbleed" vulnerability, reported by researchers April 7, means an attacker could access a server's private cryptographic keys, "compromising the security of the server and its users," the FFIEC wrote. This flaw in OpenSSL versions 1.0.1 through 1.0.1f. has existed since Dec. 31, 2011, the alert says.

The alert adds, "An attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network communications that would otherwise be protected by encryption."

The notice urges regulated institutions to:

  • ensure third-party vendors using OpenSSL on their systems are aware of the vulnerability and take appropriate mitigation steps;
  • monitor the status of their vendors' efforts;
  • identify and upgrade vulnerable internal systems and services; and
  • follow appropriate patch management practices and test to ensure a secure configuration.

The alert also suggests replacing private keys and X.509 encryption certificates after applying patches and says financial institutions should assume current encryption keys for vulnerable servers are no longer viable. Institutions should "strongly consider" having users and administrators "change passwords after applying the OpenSSL patch," the alert says.