Security Simplified ! - A Kaapagam Technologies IT Security Blog

HeartBleed : An OpenSSL vulnerability

9. April 2014 13:33 by CA in Vulnerability

A vulnerability affecting OpenSSL has been reported and it may affect your organization. The "Heartbleed" SSL vulnerability affects widely deployed versions of the OpenSSL library, which is used in the majority of software, including web, email, database and chat-servers.

How does it work?

This vulnerability allows an attacker to read a portion of memory from the remote system without the need for any known credentials or other authentication forms. The leaked memory areas might contain a lot of different contents ranging from leftover data from previous communication over log messages, up to private key material employed by the service / daemon. For this reason, there are lots of possible attack scenarios that can result from the vulnerability. An attacker who gains access to the private key of the server certificate can subsequently mount man-in-the-middle attacks against clients and impersonate the server/service. Log messages might also contain credentials or affect the privacy of communications by other clients.