Articles

The World is Cyber Bleeding

Heart Bleed

What is Heartbleed?

Heartbleed (CVE-2014-0160), the vulnerability was discovered in a software library used in servers, operating systems and email and instant messaging systems and allows anyone to read the memory of systems using vulnerable versions of OpenSSL software.

What is OpenSSL?

OpenSSL is an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols by which email, instant messaging, and some VPNs are kept secure.The vulnerability is called Heartbleed because it's in the OpenSSL implementation of the TLS/DTLS heartbeat extension described in RFC6520, and when it is exploited it can lead to leaks of memory contents from the server to the client and from the client to the server.

What is the vulnerability?

Using these vulnerability attackers could take advantage of the bug to eavesdrop on communications, steal data directly from server or client systems, and impersonate users and servers.

"This compromises the secret keys used to identify service providers and to encrypt the traffic, the names and passwords of the users and the actual content," the researchers wrote on a website dedicated to the bug. Without using any privileged information or credentials, attackers will be able to steal the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication. Because such attacks are not traceable, it's not clear how widespread the bug is or was, but it is thought that at least two-thirds of websites could be affected, as the most notable software using OpenSSL are the open source webservers Apache and nginx.

Systems are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS implementation used to encrypt traffic on the Internet.

Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys," the researchers said. "Even doing all this will still leave any traffic intercepted by the attacker in the past vulnerable to decryption.

How to discover Heartbleed?

The Heartbleed bug was uncovered by a group of security engineers from Codenomicon and Neel Mahta from Google Security. On April 7, 2014, they announced vulnerability in the popular OpenSSL cryptographic library to the Internet community. Labeled as the Heartbleed bug, this vulnerability affects OpenSSL versions 1.0.1 through 1.0.1f (inclusive).

It is important to understand that Heartbleed bug is not a flaw in the SSL or TLS protocols; rather, it is a flaw in the OpenSSL implementation of the TLS/DTLS heartbeat functionality. The flaw is not related or introduced by publicly trusted certificates and is instead a problem with server software.

So what can I do to protect myself?

Check your package manager for an updated OpenSSL package and install it. If you do not have an updated OpenSSL package, contact your Service Provider to obtain the latest version of OpenSSL and install it.