HEADS UP! OpenSSL has a serious security flaw

NEW DELHI: Web administrators and computer security researchers on Tuesday scrambled to fix a serious vulnerability in OpenSSL encryption used by thousands of web servers, including those run by email and web chat providers. The bug, dubbed Heartbleed, "allows anyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software".

In other words hackers or cyber criminals can use the Heartbleed bug to steal private encryption keys from a server that is using OpenSSL protocols of SSL/TLS encryption and then snoop on the user data, including passwords. There are reports that servers of Yahoo, Imgur and Flickr have been affected. However, this is around two-year-old bug and hence no one knows for sure how many people have exploited it at how many servers have been compromised.

The bug is so serious and widespread that Tor Project, which manages the anonymous Tor network, has advised web users to go offline for a while. "If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle," it said in a blog post.

OpenSSL Project has created a website called www.heartbleed.com to inform web users and web masters about the bug."The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users," explained a note posted on the website.

In a separate note OpenSSL Project said that the bug was discovered by Neel Mehta, a security researcher working with Google. It also said the "affected users should upgrade to OpenSSL 1.0.1g". The key bit to note here is that by users OpenSSL doesn't mean the web users but web server administrators who use OpenSSL protocols.
The reason why the Heartbleed bug has caused panic among server administrators and security researchers is because how it affects servers. "This bug has left large amount of private keys and other secrets exposed to the internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously," explained the Heartbleed website. "Leaked (private) secret keys allow the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will."

In an answer to a question — Am I affected by the bug? — the OpenSSL website notes, "you are likely to be affected either directly or indirectly".

"OpenSSL is the most popular open source cryptographic library and TLS implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS," noted the website.

Geeks, making the world a better place
Quote · 8 Apr 2014

What versions of the OpenSSL are affected?

Status of different versions:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

 

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

Quote · 8 Apr 2014

the bug was revealed before patches released

DedicatedServer4You.com -- BIGGEST Range of Dedicated Servers at the Lowest Price!
Quote · 8 Apr 2014

More info at the heartbleed link in the post.

 

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.
Geeks, making the world a better place
Quote · 8 Apr 2014

I just set up a new server and was unaware of this:

version check on my server: OpenSSL 1.0.1e-fips 11 Feb 2013

Geeks, making the world a better place
Quote · 8 Apr 2014

If you are running a CentOS server, CentOS has issued a patch to disable the heartbeat.  All that is needed is to run yum update to pick up the patch.  The patch is in the updates repo so make sure you have the repo enabled or use yum --enablerepo=updates update

If you are running another venerable OS check your server OS forum as I am sure it has been addressed.

Geeks, making the world a better place
Quote · 8 Apr 2014

http://www.ubuntu.com/usn/usn-2165-1/

Already updated on all servers.

so much to do....
Quote · 8 Apr 2014

If your running CentOS the latest version they provide has been fixed. Redhat has already fixed this. And the current version provided by redhat and Centos have already be fixed.

http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html

https://www.deanbassett.com
Quote · 8 Apr 2014

 

If your running CentOS the latest version they provide has been fixed. Redhat has already fixed this. And the current version provided by redhat and Centos have already be fixed.

http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html

I just set up a server in the last week or so, at that time the patch had not been applied.  I just now ran the update to pick up the patches.  Don't assume that your server is safe.  Note that CentOS/Redhat are recompiling to disable heartbeat; it is still the current 1.0.1e version that CentOS supplies with the heatbeat disabled.

Check the versions on your server to be sure or run yum update openssl with the updates repo enabled.

Geeks, making the world a better place
Quote · 8 Apr 2014

Not on my sites hehe....

Check my GeoDistance, Watermark, TorBlock and Android Push Notifications mods | http://goo.gl/H3Vp81
Quote · 9 Apr 2014

thx for the info!

Quote · 9 Apr 2014

By the way, once the patch is applied, you will need to restart the services that are using OpenSSL in order for the patch to be applied.  One host recommended rebooting the server but restarting services should be all that is needed.

Geeks, making the world a better place
Quote · 13 Apr 2014

 

By the way, once the patch is applied, you will need to restart the services that are using OpenSSL in order for the patch to be applied.  One host recommended rebooting the server but restarting services should be all that is needed.

If you don't know which services should be restarted (or how to restart them all), rebooting is the next best thing. You'll be down for a few minutes, so I wouldn't do it during normal busy hours.

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
Quote · 13 Apr 2014
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.