A new threat called the Heartbleed Bug has just been reported by some researchers at Codenomicon and Google. Heartbleed attacks the heartbeat extension (RFC 6520) implemented in OpenSSL. The official reference to the Heartbleed bug is CVE-2014-0160.
Heartbleed allows an attacker to read the memory of a system over the Internet and compromise the private keys, names, passwords and content. An attack is not logged and would not be detectable. The attack can be from client to server or server to client.
Heartbleed is not a flaw with the SSL/TLS protocol specification, nor is it a flaw with the certificate authority (CA) or certificate management system. Heartbleed is an implementation bug.
The bug impacts OpenSSL versions 1.0.1 through 1.0.1f. The fix is in OpenSSL version 1.0.1g. The 0.9.8 and 1.0.0 version lines are not impacted. OpenSSL 1.0.1 was introduced in March 2012, so the vulnerability is 2 years old.
The impacted systems are widespread. OpenSSL is used in Apache and NGINX, which Netcraft reports are 66 percent of the market share.
OpenSSL is also used in operating systems such as Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3 and 5.4, FreeBSD 8.4 and 9.1, NetBSD 5.0.2 and OpenSUSE 12.2.
If you are using an impacted version of OpenSSL, you need to consider the following:
- Upgrade your system to a software version that uses OpenSSL 1.0.1g or higher. You may have to wait until your software vendor publishes a new release
- Renew your SSL certificates with a new private key
- Ask your users to change their passwords
- As content may have been compromised, you will need to consider whether you need to notify users
Updated April 9, 2014: Qualys SSL Labs has added a Heartbleed test to their SSL Server Test.