A critical vulnerability in OpenSSL cryptographic software library allows attackers to gain access to information that is being protected by SSL/TLS encryption. SSL/TLS is widely utilized throughout the internet by many different applications. This vulnerability has been labeled the “heartbleed“ bug because the attack uses the TLS heartbeat extension and can reveal up to 64k of memory to a connected client. The attacker can repeat this attack multiple times to gain all information that is being stored in memory. This includes secret keys for certificates, usernames/passwords, and confidential data.
The reason this vulnerability is considered critical is because it is currently untraceable and easily used to attack vulnerable systems. OpenSSL released 1.0.1g on April 7th 2014 and it is not vulnerable to the attack. The versions that are vulnerable is 1.0.1 through 1.0.1f. After patching it is recommended to get new certificates and have users change passwords since any information recovered from the vulnerability could be used at anytime to compromise more system.
A team of security engineers at Codenomicon and Neel Mehta of Google Security discovered the Heartbeat vulnerability and reported it to the OpenSSL Team.
Please update your systems that have this very popular software ASAP.
- NCSC-FI case# 788210
- https://www.openssl.org/news/secadv_20140407.txt (published 7th of April 2014, ~17:30 UTC)
- https://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities (published 7th of April 2014, ~18:00 UTC)
- https://heartbleed.com (published 7th of April 2014, ~19:00 UTC)