Apr 11

CVE-2014-0160 aka Heartbleed

During the last days a bug in OpenSSL was found, codename “Heartbleed”, but probably is better say “Carnage”.

First of all, how i know if i’m vulnerable? OpenSSL version  1.0.1 through 1.0.1f (inclusive) are vulnerable.

Generally, you’re affected if you run some server that you generated an SSL key for at some point. Most end-users are not (directly) affected; indeed if they use update browers this is true, instead also an end-user could be affected according to openssl security bullettin.

You are vulnerable if you run any kind of server that uses OpenSSL versions 1.0–1.0.1f. It’s an implementation bug, not a flaw in the protocol, so only programs that use the OpenSSL library are affected. If you have a program linked against the old 0.9.x version of OpenSSL, it isn’t affected. Only programs that use the OpenSSL library to implement the SSL protocol are affected; programs that use OpenSSL for other things are not affected.

If you ran a vulnerable server exposed to the Internet, consider it compromised unless your logs show no connection since the announcement on 2014-04-07. (This assumes that the vulnerability wasn’t exploited before its announcement.) If your server was only exposed internally, whether you need to change the keys will depend on what other security measures are in place.

Now if you don’t know what is OpenSSL, let me explain it and why this is a really big issue.

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

You can easily understand the importance of this software, almost 66% (Netcraft analysis) of the world wide Web Server use this type of cryptography to preserve integrity and confidentiality between client and server.

So, what really make this vulnerability really dangerous?

The bug allows ANY CLIENT who can connect to your SSL server to retrieve about 64kB of memory from the server. The client doesn’t need to be authenticated in any way. By repeating the attack, the client can dump different parts of the memory in successive attempts.

One of the critical pieces of data that the attacker may be able to retrieve is the server’s SSL private key. With this data, the attacker can impersonate your server.



Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>