Heartbleed: 0-day Vulnerability in OpenSSL
A widespread and impactful 0-day vulnerability has been identified in current versions of OpenSSL that is utilized in most Linux and Unix based web servers that serve pages over SSL/TLS encryption
What is it?
This vulnerability (CVE-2014-0160) colloquially titled "Heartbleed" exploits a programmatic mistake in the versions of OpenSSL from 1.0.1 to 1.0.1f. Versions 1.0.0 and earlier are not vulnerable. This allows a buffer over-read of the webserver's memory culminating in private key compromise, credential compromise and cookie leakage.
What should I do?
here are a few options for validating that your site is vulnerable.
- The best option is to audit the version number of OpenSSL you are running on each webserver that is serving pages over SSL/TLS. Versions less than 1.0.1g are vulnerable.
- Another option is to plug your web URL into this site: http://filippo.io/Heartbleed/. NOTE: while this option is the quickest and least intrusive, it should be considered untrusted and potentially logging all vulnerable sites. Use this option only if you are comfortable with this possible scenario.
- Run a script against your URL with auditable code located here: https://gist.github.com/sh1n0b1/10100394. This is guaranteed not to be logging any results as the source code is there for review. This can also enable you to script checks of all sites to be audited.
I'm vulnerable, now what?
A new patched (non-vulnerable) version of OpenSSL is available: 1.0.1g. You will need to update to this version (Note: consult your distribution's package repository as this version number may vary based on security backporting, etc). Also, your private key associated with your SSL certificate could be compromised. A new certificate should be generated by your certificate authority and installed on your web server. If your private key is compromised any traffic encrypted with your current certificate could be decrypted, which negates all confidentiality and integrity of any message or data captured, thus completely defeating SSL/TLS.
For more information:
Official CVE listing: https://cve.mitre.org/cgi-bin/cvename.
OpenSSL's statement:http://www.openssl.org/news/secadv_20140407.txt
More info: http://heartbleed.com/