Information for Monetra users regarding the OpenSSL 'Heartbleed' Bug
What is the Heartbleed bug, and how does it affect Monetra?
The 'Heartbleed Bug' is a vulnerabilty in OpenSSL, a popular open source software component that is used in many applications programs, including Monetra, to perform cryptographic functions for secure network communications (SSL) and other purposes, such as database encryption.
CVE-2014-0160 is the official ID given to this bug which has also been dubbed 'Heartbleed' due to the exploit of the TLS heartbeat extension. The bug allows an attacker to read up to 64k bytes of server application memory for each heartbeat request. Heartbeat requests are unauthenticated requests, therefore all servers, regardless of additional security precautions such as the use of client certificates, are vulnerable.
OpenSSL versions starting with 1.0.1 though 1.0.1f are vulnerable. OpenSSL version 1.0.1g was released on April 7, 2014 to correct the issue.
What versions of Monetra are affected?
Monetra versions 7.10.0 through 7.13.2 are vulnerable to this attack; prior releases used OpenSSL 0.9.8, which does not contain this vulnerability. As of Monetra 7.13.3, released on 4/9/2014, Monetra is linked against OpenSSL 1.0.1g which corrects the flaw.
Does that mean it is OK to continue using versions of Monetra prior to 7.10.0?
No, it only means you are not vulnerable to this particular bug.
CVE-2014-0160 is not the only security vulnerability ever identified in OpenSSL, and it will not be the last. If you are using version 7.10.0 or earlier, you are at least two security releases behind for OpenSSL, plus additional security features implemented in Monetra since that timeframe.
I'm using a Monetra version prior to 7.13.3, what should I do?
You need to upgrade your Monetra software as soon as possible. If you are running an older version you are vulnerable to this or other security issues.
Please read Section 4 of the Monetra Installation Guide for information about upgrading Monetra.
OK, I've upgraded to version 7.13.3, am I OK now?
Unfortunately, due to the nature of the bug, the answer is unclear. It is unknown whether anyone discovered and exploited this vulnerability before it was corrected, and during the time since public disclosure the likelihood of attackers finding and exploiting still vulnerable servers increases exponentially each day. Whether or not this attack has been made against your particular Monetra server is another question we cannot answer.
If your Monetra server is only on a private trusted network with no outside access, the likelihood of being targeted by this attack is extremely small.
However, if your Monetra server is public-facing, meaning you have allowed access from the internet to Monetra's ports, then the possibility of such an attack is much more likely.
Once you've upgraded to version 7.13.3 you are no longer vulnerable to this attack, but any information an attacker may have collected while you were running an older version could still be used against you.
My Monetra server is public-facing, what could attackers have gotten?
Because the bug gives attackers access to random 64k byte blocks of memory from the application, they could have gotten anything Monetra had in volatile memory. This includes, but is not limited to:
- Magnetic swipe card data (trackdata)
- Card numbers (PANs)
- Card Verification Values (CVVs)
- Usernames and passwords for Monetra accounts, including MADMIN accounts
- Merchant Credentials (MIDs, TIDs, etc.)
- Database encryption keys
- CardShield BDKs (unless using an HSM)
- SSL certificates and private keys
In our opinion the likelihood is fairly small that any Monetra servers were attacked and, in the unlikely event that a Monetra was attacked, the probability that any meaningful information was compromised and stored by an attacker is extremely low. Such a compromise would imply a sophisticated, targeted attack against the Monetra server by someone intimately familiar with Monetra and how it stores data in memory (without that knowledge it would be very difficult to determine what the random data obtained may be).
Monetra also ensures data it places in volatile memory is wiped before the memory is released, to ensure sensitive data does not stay in memory for longer than necessary. From the above list, only data for (f), (g), and (h) are stored persistently. Therefore items (a) - (e) were vulnerable only if a transaction was in transit at the time of the attack, and again, only if the attacker was lucky enough to receive that sensitive data in the random part of memory obtained during the attack.
When upgrading to Monetra 7.13.3+, what best practices should I follow?
Because of the severity of the issue and the nature of the data attackers could in theory have obtained, the steps below are the strongest recommendations we can provide. It is up to you to determine from your own security policies based on risk and business requirements as to whether any or all of these practices need to be followed.
- During the upgrade to 7.13.3, you will be prompted if you want to export and import your database, you should say 'yes' to this prompt. You will then be prompted if you want to rotate your database encryption key, also say 'yes' to this prompt. This addresses item (f).
- Request all your users to change their passwords in order to address item (d).
- If your SSL certificate is signed by a CA such as Thawte, Verisign, or Comodo, have them revoke your certificate, generate a new private key and certificate request to be signed by the CA and put that in place. This addresses item (h).
- If using CardShield with DUKPT encrypting devices, but are not using it in conjunction with an HSM, perform a DUKPTRoll operation and re-inject all devices. This addresses item (g). Note, without performing this step, encrypted data from devices remains at risk only if the attacker did obtain the BDK from your Monetra server, did identify that random data as a BDK, and also can now intercept data from the associated encrypting devices.
My Monetra maintenance has expired and I need this update. What can I do?
If your maintenance agreement has expired you can renew it online as follows.
- Log into www.monetra.com.
- Once logged in you will see a table with your license(s). Put a check (left of license ID) next to every license you need to upgrade and click the 'Renew License' button.
- After your software maintenance has been renewed, see Section 4 of the Monetra Installation Guide for information about upgrading your Monetra software.
Where can I find more information?
The following sites provide detailed information about this issue: http://www.heartbleed.com https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
Refer to the Monetra Secure Implementation Guide for information regarding configuring and securing your Monetra server environment.
Consult with your Qualified Security Assessor or other Information Security professionals for assistance and information regarding your specific network configuration and any remediation steps you may need to take to ensure security of your card data environment.