Monday, 14 April 2014

Heartbleed SSL Vulnerability

Recently the IT Security community had a security event  about OpenSSL bug which is widely use by server that implement SSL/TLS secure connection.

The bug enable an attacker to see 64k size of memory content of the server without leaving a trace. This including the primary data, which is private key of the encryption.

The bug revealed by Neel Mehta of Google's security team and reported the defect on April 1, 2014 to the OpenSSL team.

The Heartbleed name it self come from a Finnish cybersecurity company, which also created the bleeding heart logo, and launched the domain Heartbleed.com to explain the bug to the public, which called codenomicon. They reported on April 3, 2014.

This bug effect was so big to the internet community. On April 10, "Cisco Systems and Juniper Networks, two of the biggest creators of Internet equipment, announced that their products had been affected by the Heartbleed bug. Routers, firewalls and switches, all likely been affected by the bug, leaving your personal information at risk of being stolen by hackers."



Even some independent researchers On April 12, were able to steal private keys using this attack from an experimental server intentionally set up for that purpose by CloudFlare.

What is the impact of this ?

When a service that use OpenSSL which is vulnerable, some attacker may be able to retrieve sensitive information, anything include secret keys which is the primary information in OpenSSL infrastructure.


With the secret key, they can create a spoofing server, even run a Man in The Middle attack with the private key. Even with you not know that it was happening.

Who uses OpenSSL ? any service which utilize SSL/TLS would it be https server, vpn connection end point, in switch, router, email, is using the OpenSSL for the underlying system.

I also use the OpenSSL software, because its opensource and free. Many internet server and services use it. But not every OpenSSL implementation affected. Check your OpenSSL software version you use.

The affected versions of OpenSSL include OpenSSL 1.0.1 through 1.0.1f (inclusive). OpenSSL 1.0.1g, OpenSSL 1.0.0 branch and OpenSSL 0.9.8 branch are not vulnerable

Almost every Linux distribution come with OpenSSL by default. My self using FreeBSD, but the affected version is up to FreeBSD 9.2 or release that use OpenSSL version mentioned above. You can check in FreeBSD website.

Even in my local linux machine, which is Linux Debian 7.1 Wheezy affected by this. But Debian had release a fix in here.

What to do for user is make sure have a password which is changed every 30 days minimal. With this event, you better change your password. I even hear yahoo was affected and they fix it quickly, but who knows what had leaked.


0 comments:

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More