Heartbleed Security Bug

Heartbleed Security Bug – Will you be affected?

There’s been a flurry of news on the web over the last few days about this because clearly some of the major news services needed some front-page pull.  The vulnerability has been common knowledge for over a year, and the affected versions have been available for at least two years.

Let’s get a few things straight before you start running around like headless chooks changing your passwords, moving your Internet Service provider and generally making life difficult for yourself.

What is Heartbleed?

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. That means that if your server is using this library, you could possibly be affected. Possibly.

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

It allows hackers to get in, steal the data, and get out – without a trace. But once again, before you go crazy, read this:

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

How do you check to see if your server is affected?

Here’s a list of operating system distributions that have shipped with potentially vulnerable OpenSSL version:

• Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
• Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
• CentOS 6.5, OpenSSL 1.0.1e-15
• Fedora 18, OpenSSL 1.0.1e-4
• OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
• FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013
• NetBSD 5.0.2 (OpenSSL 1.0.1e)
• OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:

• Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
• SUSE Linux Enterprise Server
• FreeBSD 8.4 – OpenSSL 0.9.8y 5 Feb 2013
• FreeBSD 9.2 – OpenSSL 0.9.8y 5 Feb 2013
• FreeBSD Ports – OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

Test Pages:

• Here’s the test page at possible.lv. Plug in your page and test away.
• Here’s another at filippo.io

Where to find more information?

The Q&A at heartbleed.com was published as a follow-up to the OpenSSL advisory, since this vulnerability became public on 7th of April 2014. The OpenSSL project has made a statement athttps://www.openssl.org/news/secadv_20140407.txt. NCSC-FI published an advisory athttps://www.cert.fi/en/reports/2014/vulnerability788210.html. Individual vendors of operating system distributions, affected owners of Internet services, software packages and appliance vendors may issue their own advisories.

References

• http://www.openssl.org/news/secadv_20140407.txt (published 7th of April 2014, ~17:30 UTC)
• http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities (published 7th of April 2014, ~18:00 UTC)
• http://heartbleed.com (published 7th of April 2014, ~19:00 UTC)
• http://www.ubuntu.com/usn/usn-2165-1/
• http://www.freshports.org/security/openssl/
• https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
• https://rhn.redhat.com/errata/RHSA-2014-0376.html
• http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
• https://lists.fedoraproject.org/pipermail/announce/2014-April/003205.html
• http://www.kb.cert.org/vuls/id/720951
• https://www.cert.fi/en/reports/2014/vulnerability788210.html
• https://www.cert.at/warnings/all/20140408.html
• http://www.circl.lu/pub/tr-21/