Howtodojo logo
  • Home 
  • About 
  • Certifications 
  • Sample Database 
  • Cheatsheet 
  • Glossary 
  • Blog 
  • Tags 
  1.   Blog
  1. Home
  2. Blog
  3. The HeartBleed Bug

The HeartBleed Bug

Share via
Howtodojo
Link copied to clipboard

Two days ago new OpenSSL Security Advisory was released title TLS heartbeat read overrun (CVE-2014-0160) OpenSSL 1.0.1 to 1.0.1f and 1.0.2beta1 are affected. Old version like 0.98 is not affected by this bug. This bug is also known as Heartbleed bug.

On this page
What is Heartbleed Bug   How-to Check for Heartbleed bug   What To Do If My Server Affected By this Bug  

What is Heartbleed Bug  

Two days ago new OpenSSL Security Advisory was released title TLS heartbeat read overrun (CVE-2014-0160) OpenSSL 1.0.1 to 1.0.1f and 1.0.2beta1 are affected. Old version like 0.98 is not affected by this bug. This bug is also known as Heartbleed bug.

Heartbleed bug occur on OpenSSL implementation of the TLS/DTLS (Transport Layer Security Protocol) Heatbeat extension ( RFC6520), when exploited it leads to leak of the memory contents from the server to the client and from client to server. The content of this memory could be your private key or any content on your memory including password or another sensitive information.

Security community says this is catastrophic bug because it is worse than not having SSL at all. People can get your SSL keys without a trace of intrusion was happened.

How-to Check for Heartbleed bug  

If you have service, website, mail server etc that use SSL you should check. For website, the easiest way is using Online checker by Filippo.io. You can also use the command line version but you’ll need go to use this command line tool.

For IDS you can also use Suricata to check Heartbleed, Bro IDS, Snort (and updated ruleset)

What To Do If My Server Affected By this Bug  

  • Update your server OpenSSL package, most operating system shipped with affected OpenSSL version already releae an update. Of course it is a good idea to update all package installed on your server but make sure the update won’t break your application
  • After doing update you should change your SSL Certificate. Reissue SSL certificate might be free or involve some fee, please check your SSL providers. Remember to also change your private key and not only your certificate
  • If you have password on the application, change it, assume that it already been breached

References :

  • heartbleed.com
  • Heartbleed bug undoes web encryption reveals user passwords (CNET)
  • The Heartbleed on Reddit
  • CVE-2014-0160 on cve.mitre.org
  • Diagnosis of the OpenSSL Heartbleed Bug
  • Here’s everything you need to know about the Heartbleed web security flaw
  • Why Heartbleed is the most dangerous security flaw on the web
  • Bruce Schneier on Heartbleed
 Check Your Site Performance Online
[Infographic] The Evolution of iPhone 
On this page:
What is Heartbleed Bug   How-to Check for Heartbleed bug   What To Do If My Server Affected By this Bug  
Follow me

We publish tutorials, tips and tricks about Linux, open source, cloud computing, and infrastructure

     
Copyright © 2012 - 2025 howtodojo.com. |
Howtodojo
Code copied to clipboard