9. April 2014 13:33 by CA
A vulnerability affecting OpenSSL has been reported and it may affect your organization. The "Heartbleed" SSL vulnerability affects widely deployed versions of the OpenSSL library, which is used in the majority of software, including web, email, database and chat-servers.
How does it work?
This vulnerability allows an attacker to read a portion of memory from the remote system without the need for any known credentials or other authentication forms. The leaked memory areas might contain a lot of different contents ranging from leftover data from previous communication over log messages, up to private key material employed by the service / daemon. For this reason, there are lots of possible attack scenarios that can result from the vulnerability. An attacker who gains access to the private key of the server certificate can subsequently mount man-in-the-middle attacks against clients and impersonate the server/service. Log messages might also contain credentials or affect the privacy of communications by other clients.
Who is affected?
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected (including1.0.1f and 1.0.2-beta1); however, our initial scans public facing services indicate that there are hundreds of thousands of servers using affected library versions connected to the internet. As this problem also affects other protocols and services – such as mail servers and databases – we assume that overall we're looking at millions of vulnerable systems connected to the public Internet.
How do you protect yourself?
We strongly recommend you update any affected systems immediately. You can download the patched update here: https://www.openssl.org/source/.
In addition, to mitigate attacks resulting from any potentially leaked keying material, any SSL keys from affected systems should be replaced and revoked. Depending on the service/ protocol, you may need to take additional measures to protect data that may potentially be leaked.
Firstly you need to determine if your devices are using OpenSSL, and if so,whether it's vulnerable. If vulnerable, you will need to update the source code from openssl.org and recompile it. Source code recompile is required, since openssl is such a vital base crypto utility that precompiled binaries are seldom used. Any private keys prior to recompile should be treated as compromised (yes, it's that serious), and new keys generated as soon as possible.
BTW OpenSSL is not just used for web. Things like SSL VPNs, SSH, secure email (SMTPS, IMAPS, POP3S) etc are also impacted, so you will need to check with your vendors. You may not even know a device has OpenSSL unless the vendor discloses it.
How to Test your Server ?
Go to http://filippo.io/Heartbleed/ ( Thanks to TJ )