heartbleed-openssl-bug

Heartbleed bug was discovered in OpenSSL. OpenSSL is an open-source implementation of the SSL and TLS protocols. The core library is written in the C programming language. OpenSSL implements the basic cryptographic functions and provides various utility functions.

This bug allows random reading of servers memory in blocks of 64k. This means that it is possible to find even the encryption key, which compromises almost all of the server’s information.

Heartbleed allows stealing the protected information, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL / TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPN’s).

It is advised to those who are running their web server with older versions of OpenSSL, such as 1.0.1 through 1.0.1f to update the OpenSSL to a newer version such as 1.0.1g immediately.

The Heartbleed bug was discovered by security company Codenomicon. They created a page where they explain what is Heartbleed, how it works, what versions of OpenSSL are affected, what operating systems are affected and many more. But the most important thing, on the Heartbleed official website, it is explained how the bug could be fixed:

Even though the actual code fix may appear trivial, OpenSSL team is the expert in fixing it properly so latest fixed version 1.0.1g or newer should be used. If this is not possible software developers can recompile OpenSSL with the handshake removed from the code by compile time option -DOPENSSL_NO_HEARTBEATS.

In 07 April 2014, the OpenSSL website displayed a Security Advisory on it’s website:

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley and Bodo Moeller for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

Below you can watch a video that explains the OpenSSL Heartbleed vulnerability:

OpenSSL Heartbeat (Heartbleed) Vulnerability (CVE-2014-0160) and its High-Level Mechanics from Elastica Inc on Vimeo.

Heartbleed Test and Quality SSL Labs are two websites where you can check to see if your server is vulnerable to Heartbleed Bug.