Sunday, 06 April 2014 00:00

The Heartbleed Bug is a very serious vulnerability in the OpenSSL cryptographic software library. Its bad enough that OpenSSL is constantly under threat but this particular weakness is really a huge risk. It enables an attacker to steal much more than just the information its supposed to protect. Under the hood under normal conditions the SSL/TLS encryption is whats used to secure all our communications across the Internet. SSL/TLS is what provides the security and privacy over the Internet for applications such as webservers, email servers, instant messaging (IM) and all our communication over the internet even WiFi Access Points, Networking Hardware and the virtual private networks (VPNs) Corporations depend upon.

The Heartbleed bug undoes all that security and allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This goes much farther than just compromising the secret keys that are used to identify all our service providers and to encrypt their traffic. It also exposes the names and passwords of the users, the actual content and can even expose the sourcecode of the applications themselves. This allows attackers to do much more than just eavesdrop on our communications or steal data directly out of these services and their users it can also be used to impersonate services and users. Its not yet been stated anywhere else but its quite likely one of the tricks the NSA has been using to decrypt our communications that we believed to be secure and even worse, it leaves no trace so regardless of how your logging was setup, nobody would ever know.

The only good news in all of this so far has been that, as of now, older systems are not affected, so older hardware, applications and servers this time get a pass. That means many large consumer sites have been saved by their more conservative choice of running older SSL/TLS termination equipment, software across their services. Sadly the smaller and more progressive companies, services or those who have upgraded to latest and greatest hoping for the best encryption will be affected the most. So those running OpenSSL 0.9.8 up through OpenSSL 1.0.0 branch are NOT vulnerable. However the whole OpenSSL 1.0.1 Branch up to 1.0.1f are vulnerable, only those running 1.0.1g are NOT vulnerable and if you have been running 1.0.1 at all you should error on the safe side and assume your OpenSSL secret keys are no longer secret so its time to revoke your certificates and get new ones reissued, After you've upgraded OpenSSL, there is no safe way around it cause if your hoping to find evidence in your logs you won't.

Want or need to find out more. Check these out then.
CVE-2014-0160
NCSC-FI case# 788210
http://www.openssl.org/news/secadv_20140407.txt (published 7th of April 2014, ~17:30 UTC)
http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities (published 7th of April 2014, ~18:00 UTC)
https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
http://heartbleed.com (published 7th of April 2014, ~19:00 UTC)
http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
https://lists.fedoraproject.org/pipermail/announce/2014-April/003205.html
https://rhn.redhat.com/errata/RHSA-2014-0376.html
https://www.cert.at/warnings/all/20140408.html
http://www.cert.ssi.gouv.fr/site/CERTFR-2014-ALE-003/index.html
https://www.cert.fi/en/reports/2014/vulnerability788210.html
http://www.circl.lu/pub/tr-21/
http://www.freshports.org/security/openssl/
http://www.kb.cert.org/vuls/id/720951

Pervasive Netwerks Metal Logo 

© 2013 Pervasivenetwerks.com /. All Rights Reserved.
Disclaimer: The content on this site and all images (C) the original authors.