Akamai Heartbleed patch not a fix after all
The Web infrastructure company's patch was supposed to have handled the problem. Turns out it protects only three of six critical encryption values.
Akamai, the network provider that handles nearly one-third of the Internet's traffic, released a Heartbleed patch to the community on Friday, saying that it would protect against the critical Web threat. Now it appears that's not the case.
Writing on his company's blog Sunday night, Akamai chief security officer Andy Ellis said that while he had believed the Akamai Heartbleed patch fully fixed the issue, a security researcher discovered it had a bug that caused it to be a partial, not full, patch.
"In short: we had a bug," Ellis wrote. "An RSA key has 6 critical values; our code would only attempt to protect 3 parts of the secret key, but does not protect 3 others."
The Heartbleed bug has become one of the worst Web security issues in recent history. Two years ago, a modification was made to OpenSSL, an encryption technology designed to ensure safe harbor for sensitive data traveling around the Web, that left it vulnerable to malicious hackers. By exploiting the bug, hackers could sidestep the encryption and access everything from usernames and passwords to session cookies.
On Friday, Ellis reported that while Akamai's network was exposed to the Heartbleed vulnerability between August 2012 and April 4, 2014, the fix the company had applied to its network meant that it was safe.
"As a courtesy to us, we were notified shortly before public disclosure, which gave us enough time to patch our systems," Ellis wrote. "We were asked not to publicly disclose the vulnerability, as doing so would have shortened the window of opportunity for others to fix their systems. Once we were notified, our incident management process governed patching, testing, and deploying the fix to our network safely."
All of that came unraveled over the weekend when security researcher Willem Pinckaers wrote his own blog post, saying that the OpenSSL fix Akamai put in place and subsequently released to the public didn't fix the problem.
"This patch does not, on its own, protect against private key disclosure through Heartbleed," Pinckaers wrote to Akamai customers. "This means your certificates on Akamai servers need to be rotated, and anything sent before then is vulnerable to Heartbleed compromise. If you send customer passwords to Akamai, you should ask your customers to change their passwords again. They'll enjoy that."
The crux of the issue, Pinckaers argues, is that while Akamai protects three critical values in an RSA key -- a long, algorithm-created string of numbers designed to create an encrypted connection -- three other values, known as intermediate extra values, are accessible because they weren't "stored in the secure memory area."
"As the...values were not stored in the secure memory area, the possibility exists that these critical values for the SSL keys could have been exposed to an adversary exploiting the Heartbleed vulnerability," Akamai's Ellis said. "Given any CRT value, it is possible to calculate all 6 critical values."
Akamai is now heading back to the drawing board. Ellis says that his company has already started rotating SSL certificates that are vulnerable to protect its customers. Ellis says that some certificates will rotate quickly, while others will take a bit longer.
CNET has contacted Akamai for additional comment on the security flaw. We will update this story when we have more information.