Heartbleed Bug: What You Need to KnowVulnerability Exposes Widely Used OpenSSL Tool
Security forums and experts are buzzing about the newly discovered Internet bug known as Heartbleed which exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as web, e-mail, instant messaging and some virtual private networks.
"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software," says Codenomicon, the Finland-based security vendor that discovered the bug, along with a researcher at Google Security. "This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."
"It's as if your front door has a defective lock," writes Gail Sullivan of The Washington Post. "Someone could get in as long as it's not fixed. But that does not mean they've already gained entry."
Codenomicon has set up an informational website, Heartbleed.com, which details the exploit and offers answers to frequently asked questions.
News of Heartbleed spread quickly through security circles, prompting alerts from government agencies, researchers, news organizations and bloggers.
Noted security expert and blogger Bruce Schneier calls the exploit "catastrophic."
"Half a million sites are vulnerable, including my own," Schneier says in a blog. "On the scale of 1 to 10, this is an 11."
According to Codenomicon, Heartbleed is a flaw in the OpenSSL's implementation of the transport layer security protocols heartbeat extension (RFC6520). "When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server," Codenomicon writes.
Codenomicon researchers tested the exploit on the vendor's own services, from an attacker's perspective, and the results were alarming.
"Without using any privileged information or credentials we were able to steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, e-mails and business critical documents and communications," Codenomicon says.
The exploit potentially impacts a large number of users on the Internet. OpenSSL, Codenomicon says, is the most popular open source cryptographic library and transport layer security implementation used to encrypt traffic on the Internet.
"Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by our government might be using vulnerable OpenSSL," Codenomicon says.
Carnegie Mellon University's Software Engineering Institute CERT has posted an advisory about the vulnerability.
In its alert, CERT alleges the flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library. The organization says attackers can retrieve the information at 64k at a time.
CERT also warns that attackers, using the stolen secret keys, can leverage the information to decrypt, spoof or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.
"At this point, the odds are close to one that every target has had its private keys extracted by multiple intelligence agencies," says Schneier. "The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof."
What to Do
Codenomicon says Fixed OpenSSL has been released and needs to be deployed now across websites vulnerable to the bug.
Operating system vendors and distribution, appliance vendors and independent software vendors need to adopt the fix and notify their users, Codenomicon says. "Service providers and users have to install the fix as it becomes available for the operating systems, networked appliance and software they use."
CERT says organizations should contact their software vendors to check for availability of updates.
"Any system that may have exposed this vulnerability should regenerate any sensitive information (secret keys, passwords, etc.) with the assumption that an attacker has already used this vulnerability to obtain those items," CERT says.
CERT also recommends organizations use what's known as perfect forward secrecy, or PFS, to help minimize the damage in the case of a secret key leak. PFS makes it difficult to decrypt already-captured network traffic.
Additionally, organizations can use this online tool to see if their website is vulnerable.
Additional Heartbleed coverage is forthcoming from Information Security Media Group.