A serious vulnerability in the popular OpenSSL cryptographic library has been discovered that allows attackers to steal information unnoticed. Known as the Heartbleed bug,
Impact:
The vulnerability allows anyone on the Internet to read the memory of systems that run vulnerable versions of OpenSSL, revealing the secret authentication and encryption keys to protect the traffic.
User names, passwords and the actual content of the communications can also be read.
According to the report, The exploit leave no trace that your server had been scanned and sensitive information leaked.
If you had use the vulnerable version of the OpenSSL to generate encryption keys to secure your web traffic, your site is likely be affected.
In addition, tools had been released and out on the internet for users to scan sites that are vulnerable.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
Solution:
OpenSSL 1.0.1g has been released to address this vulnerability.
Any keys generated with a vulnerable version of OpenSSL is likely be considered compromised and regenerated and deployed after the patch has been applied.
For more information: please refer to the links below
- https://www.openssl.org/
- https://www.openssl.org/news/secadv_20140407.txt
- http://www.itnews.com.au/News/382211,admins-scramble-to-plug-giant-openssl-security-hole.aspx?eid=1&edate=20140409&utm_source=20140409_AM&utm_medium=newsletter&utm_campaign=daily_newsletter
- http://www.us-cert.gov/ncas/alerts/TA14-098A
References:
- CVE-2014-0160
- NCSC-FI case# 788210
- http://www.openssl.org/news/secadv_20140407.txt
- http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities
- http://www.ubuntu.com/usn/usn-2165-1/
- http://www.freshports.org/security/openssl/
- https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
- https://rhn.redhat.com/errata/RHSA-2014-0376.html
- http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
- https://lists.fedoraproject.org/pipermail/announce/2014-April/003205.html
- http://www.kb.cert.org/vuls/id/720951
- https://www.cert.fi/en/reports/2014/vulnerability788210.html
- https://www.cert.at/warnings/all/20140408.html
- http://www.circl.lu/pub/tr-21/
No comments:
Post a Comment