What is the Heartbleed Bug and OpenSSL?
Author:CSC Global Cybersecurity
The “Heartbleed” bug is an easily exploited vulnerability found within OpenSSL software (v1.0.1a through 1.0.1f). OpenSSL is a protocol upon which much of the Internet’s secure encrypted communication occurs.
The Heartbleed bug allows anyone who exploits it to repeatedly read 64kB of system memory, providing an opening for attackers to steal usernames, passwords and, in some cases, even private keys that websites use to encrypt and decrypt sensitive data.
What is Heartbleed?
This vulnerability has been in existence for two years, but only was discovered recently by security researchers. The vulnerable code was originally released in March 2012, and subsequent versions of OpenSSL. (1.0.1 through 1.0.1f) contained the vulnerability. The latest version of OpenSSL, v1.0.1g, contains the boundary check fix for this bug.
A simple explanation of this bug can be found here. This vulnerability was caused by a flaw in the implementation of the TLS/DTLS heartbeat functionality (RFC6520) — more commonly known as the “heartbeat extension.” An attacker who has located a vulnerable device can retrieve memory from it. Through exploiting this vulnerability, an attacker could obtain:
- Primary key material (secret keys)
- Secondary key material (user names and passwords used by other services)
- Protected content (sensitive data used by vulnerable services)
- Collateral such as memory addresses and content that can be leveraged to bypass mitigations. Exploit code for this vulnerability is publicly available and services that support STARTLS (imap, smtp, http, pop) may also be affected.
Tests have been conducted by heartbleed.com, whose analysts attacked their own systems from an external location; the attack left no trace. No privileged information was used during the attack and heartbleed.com was able to steal credentials and secret keys from its own devices. Heartbleed.com also was able to obtain X.509 certificates, user names, passwords, instant messages, emails, and business critical documents and communications.
- Vendor software affected versions
- How CSC is responding to fixing Heartbleed
- What you must do today