At the beginning of this week a new vulnerability in OpenSSL called Heartbleed was made public.
OpenSSL is the library used by most computers to encrypt data sent across the Internet and not only. OpenSSL is perhaps the most widely deployed SSL library and appears in a wide variety of applications, including a number of Linux distributions (see below).
The vulnerability has by now a dedicated ID CVE-2014-0160 (see references): essentially it lets an attacker pull the keys used to encrypt your data directly from the memory of a vulnerable web server, thereby letting him read any traffic sent from that server including usernames, passwords, financial information and more.
Some technical details
The vulnerability lies in the way that OpenSSL handles the heartbeat extension in the TLS protocol. OpenSSL replies a requested amount up to 64kB of random memory content as a reply to a heartbeat request. Sensitive data such as message contents, user credentials, session keys and server private keys have been observed within the reply contents. More memory contents can be acquired by sending more requests. The attacks have not been observed to leave traces in application logs.
To make it clear, this vulnerability does not hack the server and it does not extract from the server’s database usernames and passwords. It “only” reads chunks of 64 KB memory from the server’s RAM and it sends it to the attacker. If, in that very moment when the attacker reads the memory, also confidential data is in transit through the memory, then potentially that data gets to the attacker. Once the attacker gets the secret key, it also allows the attacker to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
What can you do?
The worse part is that there is no way to tell if you have been exploited. There is no log, no error message, nothing.
For website administrators, check if the OpenSSL in use is vulnerable. OpenSSL versions from 1.0.1 to 1.0.1f are vulnerable.
Vulnerable Linux distributions include:
- Red Hat Enterprise Linux 6.5 (OpenSSL 1.0.1e)
- Debian Wheezy (before OpenSSL 1.0.1e-2+deb7u5)
- Ubuntu 12.04 LTS, 13.04, 13.10
If it is, it means that the most prudent thing to do now is to update OpenSSL to v 1.0.1g and then revoke the server certificate used to encrypt the traffic and get a new one. This sometimes comes for free, but most of the time it costs, if you want to have an official certificate instead of a self-generated one.
As a client of an affected webserver, you can’t do much. After the administrator fixed the problem, you should change your password.
Because this bug is already two years old pretty much anything can happen, so you maybe want to think better what you put online in the future.
If you are curious if your favorite website is or was affected, you can check it here:
Don’t change all your passwords now. It might be that some of the websites will need a while until they are able to do the above mentioned changes.
IT Security Expert