Published on April 10th, 2014 📆 | 6659 Views ⚑0
Heartbleed Bug SSL Vulnerability – Everything You Need To Know
This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon, while improving the SafeGuard feature in Codenomicon's Defensics security testing tools, and Neel Mehta of Google Security, who first reported it to the OpenSSL team.
Moreover, OpenSSL is used to protect email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software. Many large consumer sites are also saved by their conservative choice of SSL/TLS termination equipment and software. OpenSSL is also very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates.
Security researcher 'Robert Graham' scanned the Internet and found that more than 600,000 servers are vulnerable to heartbleed flaw, including Yahoo.com, imgur.com, flickr.com, hidemyass.com. [List]
Yahoo, which has more than 800 million users around the world, also has been exposed by the bug.
It is not a problem with the TLS/SSL technologies that encrypt the Internet, neither with how OpenSSL works. It is just a dumb coding mistake.
Using Heartbeats extension two computers make sure the other is still alive by sending data back and forth to each other. The client (user) sends its heartbeat to the server (website), and the server hands it right back. If by chance anyone of them goes down during the transaction, the other one will know using heartbeat sync mechanism.
When that heartbeat is sent, a small amount of the server’s short-term memory of about 64 kilobytes comes in reply from server and an attacker is supposed to grab it, that can leak sensitive data such as message contents, user credentials, session keys and server private keys. By sending heartbleed requests multiple times, an attacker is able to fetch more memory contents from the server.
This means, everything and anything in the memory such as SSL private keys, user keys used for your usernames and passwords, instant messages, emails and business critical documents and communication, and many more is vulnerable to cyber criminals. At this phase, you have to assume that it is all compromised.
About two-thirds of web servers rely on OpenSSL, means the information passing through hundreds of thousands of websites could be vulnerable.
So far, Security experts have found no direct evidence that anyone has managed to use the bug to steal information. The vulnerability has been fixed in OpenSSL v1.0.1g.
What Should I Do?
Well you need to check if any of the servers you manage or run are using a vulnerable version of OpenSSL, from my experience if you are still on Ubuntu 10.04 LTS you are safe from this, as it uses OpenSSL 0.9.8 without heartbeat functionality.
If you are using Ubuntu 12.04 LTS (any subversion) then you ARE vulnerable and need to update ASAP.
IF you want to scan your servers you can grab the scanning script here:
There are also a couple of online scanners you can use (just beware of false positives).
On the server side, you can check your OpenSSL version with:
openssl version -a
Don’t pay attention to the version or date, but look at the build date – it should be AFTER April 7th.
Something like this would be a vulnerable version:
OpenSSL 1.0.1 14 Mar 2012
built on: Wed Jan 8 20:45:51 UTC 2014
After updating it should look like:
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 7 20:33:29 UTC 2014
How Do I Fix It?
For the majority of people, someone else probably hosts your sites and infrastructure, so you don’t need to worry that much – just change your passwords if you’re paranoid and make sure you enable 2 factor auth for anything that supports it.
On Ubuntu 12.04 it’s as simple as doing
aptitude update; aptitude safe-upgrade -y; and then restarting all relevant services, or simply rebooting.
Ensure the build date is at minimum 2014-04-07.
If you want to check what services are using OpenSSL you can do:
lsof -n | grep ssl | grep DEL
That fixes the bug, but remember it doesn’t change the fact that your secret keys/passwords could have been leaked, there has also been reports of 2FA session tokens being leaked among other stuff.
So to be secure, you really need to revoke all your SSL certificates, regenerate a new private key and csr, and regenerate your SSL certs.
And of course, change all your passwords.