Scroll Top

OpenSSL heartbleed vulnerability update

April 12, 2014

For those of you using OpenSSL 1.0.1 (most recent Unix systems), it is critical that you patch the openssl library, as well as binaries compiled statically with openssl, as soon as possible.

The Heartbleed attack will allow a remote attacker to read up to 64kBytes of system memory from your system per attack attempt. The attack works against servers as well as against clients. While not all software using SSL necessarily uses the OpenSSL library, many do.

A proof of concept exploit has been made available and I have tested it. It can be used to remotely scan for vulnerable systems. [1] We have not yet detected wide spread use of the exploit, but it is literally hours old. At this point, we don’t think the vulnerability was known in the underground before the official release, but it is possible.

 

What should you do first:

Check if you are vulnerable. “openssl version -a” will return the version information. If your version is 1.0.1, you MAY be vulnerable. Only version 1.0.1g is NOT vulnerable. Other major versions (0.9x, 1.0.0 …) are not vulnerable.

Rule of thumb: If you are using OpenSSL, and if you are supporting TLS 1.2 (check ssllabs.com) , then you are vulnerable unless patched.

 

If I am vulnerable, what should I do:

Patch!

Ubuntu, CentOS and others have patches available. OS X Mavericks has NO PATCH available. Windows is likely not vulnerable, but if you are running open source software like Apache that uses OpenSSL, then you may be vulnerable.

You may want to consider replacing SSL certificates if you are afraid that the exploit was already used against your site. But the exploit is not limited to secret SSL key. All data in memory is potentially at risk.

 

Can I test remotely?

The PoC exploit above can be used to scan your network remotely.

 

How Can I Tell if Someone is Using the Exploit Against Me

We don’t have IDS signatures (yet… wait for updates here). There is no log entry in your web server log as the exploit happens after the SSL session is established, and before the HTTP request is sent.

nginx, after being patched, logs the following from the PoC exploit:

2014/04/08 12:37:18 [info] 4151#0: *724561 peer closed connection in SSL handshake while SSL handshaking, client: 70.91.145.11, server: 0.0.0.0:8443

More information:

Source: Sans Institute

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW
We respect your privacy.

Related Posts

OpenSSL announce versions 1.0.2d and 1.0.1p

The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p. These releases will be made available on 9th July. They will fix a single security defect classified as “high” severity. This defect does not affect the 1.0.0 or 0.9.8 releases. Join Our…

08 Jul 2015
SSL v3 Security Vulnerability Update

Google has released more pertinent information regarding the SSL v3 vulnerability as a pdf document linked to below: https://www.openssl.org/~bodo/ssl-poodle.pdf Please pay close attention to the recommendations and implement as necessary. Join Our Online Security and Hosting Newsletter Today and stay updated with the latest news, updates, releases & much more….

15 Oct 2014
SSL v3 Rumoured Vulnerability

According to The Register, a serious vulnerability in SSL v3 will be disclosed tomorrow on October 15th. Some people are recommending disabling SSL v3 in various daemons until further notice. We will update our blog once the vulnerability is released tomorrow. We urge everyone to stay alert and be…

14 Oct 2014
OpenSSL Vulnerability

Urgent Action Required There is a vulnerability present within OpenSSL that can allow sensitive information that is stored in the server memory to be disclosed to an attacker. A public proof of concept has already been released and in our testing we were able to see credentials, session and…

09 Apr 2014

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW
We respect your privacy.
close-link
Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required
Privacy Policy Cookies Policy