The TBG Security team has been investigating a critical vulnerability in the OpenSSL cryptographic library. This vulnerability, which is known as the “Heartbleed Bug,” allows anyone on the Internet to read the memory of systems protected by vulnerable versions of the OpenSSL software. This issue should be considered extremely critical due to its impact, long exposure, ease of exploitation, the absence of application logs indicating an exploit attempt and the widespread availability of exploit code.
The flaw resides in the OpenSSL implementation of the TLS/DTLS (Transport Layer Security) protocols’ heartbeat extension (RFC6520) due to a missing bounds check. This vulnerability reveals 64KB of memory per request to a connected client or server. An attacker can keep reconnecting or can keep requesting an arbitrary number of 64KB chunks of memory content during an active TLS connection until they have achieved their objectives.
The vulnerability was independently discovered by a member of the Google Security team and by a team of security engineers at Codenomicon. Proof-of-concept (PoC) code to exploit this vulnerability exists.
OpenSSL versions 1.0.1 through 1.0.1f (inclusive) and version 1.0.2-beta are vulnerable;
branches 1.0.0 and 0.9.8 are not vulnerable.
This vulnerability is resolved in OpenSSL version 1.0.1g. According to the OpenSSL advisory, version 1.0.2 will be fixed via 1.0.2-beta2. TBG Security recommends upgrading immediately.
Products that use OpenSSL libraries, such as SSL termination devices, load balancers, secure web gateways , web application firewalls, and other embedded devices, may also be vulnerable. Clients should coordinate vulnerability status and mitigation steps with appropriate vendors.
After patching the vulnerability, revoke any primary key material (e.g., X.509 certificates and private keys) used by a vulnerable TLS service, and issue and distribute new keys. In addition, consider potential compromise of secondary key material, such as usernames and passwords exchanged with a vulnerable TLS endpoint. Reset secondary key material such as passwords and encryption keys, and invalidate and reset any exposed session keys and session cookies.
Visit the Heartbleed website for more information.
Italian security researcher Filippo Valsorda has created a tool that lets you check whether a website has the Heartbleed vulnerability.
LastPass has also published a Heartbleed testing tool which can be found here.
For information on how to prevent such vulnerabilities please read this.