The heart is bleeding out: a new critical bug found in OpenSSL

A very serious flaw has just been discovered in OpenSSL – an open-source and very popular cryptographic library, which has already incited a minor (for now) panic amongst security experts. According to the freshly released security bulletin by The OpenSSL Project, a missing bounds check in the handling of the TLS Heartbeat Extension can be used to reveal up to 64k of memory to a connected client or server.

feat640

In practice, this allows the stealing of protected information (under normal conditions) by the SSL/TLS encryption used to secure the Internet.

SSL/TLS protocols provide communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). Attackers can steal secret keys, user names and passwords, instant messages, emails and business’ critical documents and communication – all of this without leaving a trace.

This makes the flaw (which has already received an alias ‘Heartbleed bug’) absolutely critical, so countermeasures should be taken promptly.

There is no word (yet) on how widely the flaw might have been exploited so far. However, the vulnerable OpenSSL 1.0.1 was released in March 2012. Whoever might have learned about the security flaw in question could have been eavesdropping any TSL/SSL-encrypted communications ever since. This makes the problem a potentially global one: OpenSSL is used by very popular server software such as Apache and nginx. Their combined market share is over 66%, according to Netcraft’s April 2014 Web Server Survey, and they are commonly used by businesses of all sizes.

As of today, a number of Nix*-like operating systems are affected too, since they are packaged with vulnerable OpenSSL:

  • Debian Wheezy (Stable), OpenSSL 1.0.1e-2+deb7u4)
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11)
  • CentOS 6.5, OpenSSL 1.0.1e-15)
  • Fedora 18, OpenSSL 1.0.1e-4
  • OpenBSD 5.3 (OpenSSL 1.0.1c) и 5.4 (OpenSSL 1.0.1c)
  • FreeBSD 8.4 (OpenSSL 1.0.1e) и 9.1 (OpenSSL 1.0.1c)
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)

Packages with older OpenSSL versions – Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14, SUSE Linux Enterprise Server – are free of this flaw.

Amongst the possibly affected parties are operating system vendors and distribution, appliance vendors, along with independent software vendors. They are strongly encouraged to adopt the fix – OpenSSL 1.0.1g – ASAP and notify their users about possible password leaks. New secret keys and certificates must be generated as well.

Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

An online tool, which allows for testing of any server by its hostname for CVE-2014-0160 bug is already in place, and it’s recommended you check it out.

Again, an attacker that might have exploited that vulnerability would leave absolutely no traces in the attacked systems, so there’s no way to learn if anyone was actually compromised. Every business that uses OpenSSL 1.0.1 through 1.0.1f is in danger, so the only reasonable action now is to plug this security sinkhole as soon as possible.

Send to Kindle

8 thoughts on “The heart is bleeding out: a new critical bug found in OpenSSL

  1. Karen Peterson Apr 9, 2014 at 1:46 pm - Reply

    I was blocked out of my checking account this am so I’m thinking that as you update your info they can now see your bank acct number atm # your password etc!

  2. The procedure as outlined in the security bulletin for “Heardbleed Bug” can it be used on my other computers that have Kaspersky 3.0?. Is there any codes or license numbers required?. My wife is in DC and I need to detail to her what she should do.

    • Konstantin Goncharov Apr 14, 2014 at 1:34 pm - Reply

      The Heartbleed attack does not aim at personal computers. More than that, Windows machines in general (in the default setup) are not vulnerable. It affects web services running certain versions of OpenSSL software (and in this case it is really widespread). So the best recommendation would be to change passwords. See my long comment in this thread.

    • Konstantin Goncharov Apr 14, 2014 at 1:32 pm - Reply

      Not really. The OpenSSL bug does not endanger personal information stored by Kaspersky products or at Kaspersky Lab’s web services.

        • Konstantin Goncharov Apr 24, 2014 at 12:17 pm - Reply

          I disagree. Malware does identity theft, hence an anti-virus has to do something with it (i.e. block malware). Of course, it won’t help when data is stolen from the server a user is visiting.

  3. Great, thats just brilliant, they advise everbody to patch there SSL implimentation, neglecting to mention the fact this Bug is used to Obtain the actual Root Keys. So patching your SSL implimentation is like closing the barn door after the horse has already Bolted!

Leave a Reply

Your email address will not be published. Required fields are marked *