A serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients.
This bug not a problem with OpenSSL's inherent design. It's an implementation problem. That is to say it the result of a programming mistake. There is already a fix available for the problem for the 1.01 program in OpenSSL 1.0.1g. Work is proceeding rapidly for a pair of the 1.02-beta line.
The bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.
This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.
This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
According to Heartbleed, they are tested some of our own services from attacker's perspective and attacked themselves from outside, without leaving a trace.
Without using any privileged information or credentials they are able steal from themselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
If you were running a vulnerable release, it is even suggested that you go as far as revoking all of your keys. Distributions using OpenSSL 0.9.8 are not vulnerable.
Debian Wheezy, Ubuntu 12.04.4, Centos 6.5, Fedora 18, SuSE 12.2, OpenBSD 5.4, FreeBSD 8.4, and NetBSD 5.0.2 and all following releases are vulnerable.
OpenSSL released 1.0.1g yesterday addressing the vulnerability. Debian's fix is in incoming and should hit mirrors soon, Fedora is having some trouble applying their patches, but a workaround patch to the package .spec is available for immediate application.
No comments:
Post a Comment