The HeartBleed Bug
Categories:
What is Heartbleed Bug
Two days ago new OpenSSL Security Advisory was released title TLS heartbeat read overrun (CVE-2014-0160) OpenSSL 1.0.1 to 1.0.1f and 1.0.2beta1 are affected. Old version like 0.98 is not affected by this bug. This bug is also known as Heartbleed bug.
Heartbleed bug occur on OpenSSL implementation of the TLS/DTLS (Transport Layer Security Protocol) Heatbeat extension (RFC6520), when exploited it leads to leak of the memory contents from the server to the client and from client to server. The content of this memory could be your private key or any content on your memory including password or another sensitive information.
Security community says this is catastrophic bug because it is worse than not having SSL at all. People can get your SSL keys without a trace of intrusion was happened.
How-to Check for Heartbleed bug
If you have service, website, mail server etc that use SSL you should check. For website, the easiest way is using Online checker by Filippo.io. You can also use the command line version but you’ll need go to use this command line tool.
For IDS you can also use Suricata to check Heartbleed, Bro IDS, Snort (and updated ruleset)
What To Do If My Server Affected By this Bug
- Update your server OpenSSL package, most operating system shipped with affected OpenSSL version already releae an update. Of course it is a good idea to update all package installed on your server but make sure the update won’t break your application
- After doing update you should change your SSL Certificate. Reissue SSL certificate might be free or involve some fee, please check your SSL providers. Remember to also change your private key and not only your certificate
- If you have password on the application, change it, assume that it already been breached
References :
- heartbleed.com
- Heartbleed bug undoes web encryption reveals user passwords (CNET)
- The Heartbleed on Reddit
- CVE-2014-0160 on cve.mitre.org
- Diagnosis of the OpenSSL Heartbleed Bug
- Here’s everything you need to know about the Heartbleed web security flaw
- Why Heartbleed is the most dangerous security flaw on the web
- Bruce Schneier on Heartbleed