Independent researchers have discovered a critical vulnerability in the widely popular cryptographic software library, OpenSSL. As stated by the discovering parties, this vulnerability “allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.”
What Has Been Compromised?
According to researchers, exploitation of CVE-2014-0160, or the Heartbleed Bug, allows attackers to steal:
- Primary Key Material – These are the secret keys that allow websites to unlock the encrypted information their users send during transmissions secured by TLS/SSL.
- Secondary Key Material – These are user credentials transferred in TLS/SSL transmissions, such as usernames and passwords.
- Protected Content – This is the content that is transferred during a TLS/SSL transmission and that is supposed to be protected by cryptographic secret keys. This is alarming because most encrypted data – such as financial information – is encrypted because it is sensitive.
- Collateral – This is all of the technical information related to an OpenSSL user account, such as memory addresses and user specific security settings.
How Can I Fix This?
Anyone using OpenSSL 1.0.1 through 1.0.1f (inclusive) is vulnerable, and needs to upgrade to OpenSSL 1.0.1g immediately. If this is not possible, users may also recompile OpenSSL with
It is also crucial to invalidate all compromised primary and secondary key material with your Certificate Authority. Although the Heartbleed bug was discovered by independent security researchers at Codenomicon, the vulnerability had actually been out in the wild since March 14th, 2012. No one knows if Heartbleed was exploited during that time, and even if it was the nature of the vulnerability allows attackers to hide all evidence of memory access.
What is most alarming is that OpenSSL is the most popular open source cryptographic security service in use on the Internet today. Combined with its time in the wild of over 2 years, Heartbleed may have compromised a massive amount of information — or, it might not have compromised anything at all. The true extent of the breach really depends on whether anyone else knew about Heartbleed. Now that the vulnerability has been made public, service providers using an affected version of OpenSSL absolutely must address the issue; otherwise, all the information on their server will remain at high risk of compromise.
Where Can I Find More Information?
Codenomicon has published a detailed treatment of Heartbleed at http://heartbleed.com/
There readers may find official information about the bug, how to get rid of it, and additional links to commentary from other authorities, including statements from Cloudfare, The Tor Project, and Ubuntu.
Have a nice (malware-free) day.
- Conservative estimates state that nearly 2/3 of all web servers have been affected by Heartbleed.
- Servers can be tested for the vulnerability here: http://filippo.io/Heartbleed/
- A running list of vulnerable, popular websites has also been created at GitHub, here: https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt. Readers will note that yahoo.com, proprietor of one of the world’s most popular email services, Yahoo Mail, is at the top of the list.