Vendors must update their installations as soon as possible

Apr 8, 2014 08:24 GMT  ·  By

A serious vulnerability in the OpenSSL cryptography library can be exploited to intercept communications. Version 1.0.1g of the software has been released to address the issue.

The vulnerability, CVE-2014-0160, can be leveraged to steal information protected by SSL/TLS encryption because it enables an attacker to read the memory of the vulnerable systems. The security hole exposes all data transmissions, including encryption keys, usernames, passwords and the content of the communication.

The issue has been dubbed the “Heartbleed bug” because it affects the DLS/DRLS implementation of the RFC6520 heartbeat extension, and it leads to the leakage of memory contents.

The security hole is problematic because it has been around for two years, leaving a large number of private keys and other sensitive data exposed.

The flaw was uncovered by a team of engineers from Codenomicon and Neel Mehta of Google Security. Open SSL 1.0.1 through 1.0.1f are vulnerable. The branches of versions 1.0.0 and 0.9.8 are not affected.

Several operating system distributions, including Debian Wheezy, Ubuntu, CentOS, FreeBSD, OpenBSD and OpenSuSE are shipped with vulnerable versions. Researchers believe that most users are likely to be impacted, either directly or indirectly.

It’s worth noting that this isn’t an SSL/TLS design flaw. Instead, it’s an implementation problem in the OpenSSL library.

Researchers also highlight the fact that this bug is not like the recent Apple “got fail” bug, which required a man-in-the-middle (MITM) attack. Instead, the attacker can directly contact the vulnerable service, and even directly attack users connected to a malicious service.

It’s uncertain if the Heartbleed bug is being abused in the wild, but experts say that its exploitation leaves no traces. Intrusion detection and prevention systems can be programmed to detect attacks exploiting this issue, but the attacks can’t be blocked unless the security systems are programmed to block heartbeat requests completely.

Over the upcoming period, appliance, software and operating system vendors have to implement the fix. Some of them are already said to have started the process. One of them is CloudFlare, which fixed the vulnerability last week.

“This bug fix is a successful example of what is called responsible disclosure. Instead of disclosing the vulnerability to the public right away, the people notified of the problem tracked down the appropriate stakeholders and gave them a chance to fix the vulnerability before it went public. This model helps keep the Internet safe,” CloudFlare’s Nick Sullivan noted.

You can download OpenSSL 1.0.1g from Softpedia.