What you need to know about the OpenSSL vulnerability “heartbleed”

At the beginning of this week a new vulnerability in OpenSSL called Heartbleed was made public.

OpenSSL is the library used by most computers to encrypt data sent across the Internet and not only. OpenSSL is perhaps the most widely deployed SSL library and appears in a wide variety of applications, including a number of Linux distributions (see below).

The vulnerability has by now a dedicated ID CVE-2014-0160 (see references): essentially it lets an attacker pull the keys used to encrypt your data directly from the memory of a vulnerable web server, thereby letting him read any traffic sent from that server including usernames, passwords, financial information and more.


Some technical details

The vulnerability lies in the way that OpenSSL handles the heartbeat extension in the TLS protocol. OpenSSL replies a requested amount up to 64kB of random memory content as a reply to a heartbeat request. Sensitive data such as message contents, user credentials, session keys and server private keys have been observed within the reply contents. More memory contents can be acquired by sending more requests. The attacks have not been observed to leave traces in application logs.

To make it clear, this vulnerability does not hack the server and it does not extract from the server’s database usernames and passwords. It “only” reads chunks of 64 KB memory from the server’s RAM and it sends it to the attacker. If in that very moment when the attacker reads the memory, also confidential data is in transit through the memory, then potentially that data gets to the attacker. Once the attacker gets the secret key, it also allows the attacker to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.


What can you do?


The worse part is that there is no way to tell if you have been exploited. There is no log, no error message, nothing.

For website administrators, check if the OpenSSL in use is vulnerable. OpenSSL versions from 1.0.1 to 1.0.1f are vulnerable.

Vulnerable Linux distributions include:

  • Red Hat Enterprise Linux 6.5 (OpenSSL 1.0.1e)
  • Debian Wheezy (before OpenSSL 1.0.1e-2+deb7u5)
  • Ubuntu 12.04 LTS, 13.04, 13.10

If it is, it means that the most prudent thing to do now is to update OpenSSL to v 1.0.1g and then revoke the server certificate used to encrypt the traffic and get a new one. This sometimes comes for free, but most of the time it costs, if you want to have an official certificate instead of a self-generated one.


As a client of an affected webserver, you can’t do much.  After the administrator fixed the problem, you should change your password. Because this bug is already two years old pretty much anything can happen, so you maybe want to think better what you put online in the future.


Sorin Mustaca
IT Security Expert

from Avira – TechBlog http://bit.ly/1ebdovk

© Copyright Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .
%d bloggers like this: