Vendors and administrators scramble to patch OpenSSL vulnerability

Steve Ragan

Since news of the OpenSSL bug started to spread on Monday, administrators and vendors have made a mad scramble to patch the Heartbleed bug, named for the flawed implementation of the heartbeat option in the cryptographic library.

On Monday, three researchers from Codenomicon and Neel Mehta (a Google staffer focused on security) detailed the flaw and the various problems it will create.

In short, the flaw allows anyone, anywhere on the Internet, to read the memory of systems implementing the vulnerable versions of OpenSSL in 64kb chunks. Doing so allows them to access information such as secret keys, usernames and passwords, and in some cases, content itself that would normally be protected.

Moreover, there is no limit to the number of 64kb chunks of memory that are accessed, so the attacker can repeat the process as many times as they wish until they get the information they're after.

OpenSSL is used by millions of websites, so the flaw impacts almost everyone. Those not impacted by this two year-old bug are immune either because their websites don't support SSL or they're using outdated versions of OpenSSL; and both options are a problem on their own.

Dwayne Melancon, CTO of Tripwire, told CSO Online that the potential impact for Heartbleed is huge.

"Open SSL is a widely used technology for secure communication over the Internet. In general, that means it was implemented to protect secure data and communications to prevent unauthorized access to information. This vulnerability means attackers can gain access to information, transactions, and other sensitive or valuable data with little restriction - it is very serious."

The flaw has existed for two-years, and there are a number of mitigating factors that would leave website immune to this problem.

At last check, 48 of the Alexia Top 1,000 were vulnerable to Heartbleed issue. Then again, of the 952 domains not vulnerable, 512 of them are safe because they don't support SSL. The other 448 domains listed as not vulnerable are either patched, don't allow the heartbeat option, or they are using an older implementation of OpenSSL.

Those with outdated installs are exposing the website and its users to a number of other potential risks, so the advice from experts is to update to the current version - Heartbleed vulnerability or not.

Don't Panic:
"The important thing to do is take a breath, update your system, and revoke your current SSL Keys and issue new ones. Patching systems is the easy part here - several major vendors, RedHat and Ubuntu included, have already issued updates to their package management systems," Tripwire's Tyler Reguly said.

"If you are concerned that you may have been a target and your keys may have already leaked, revoking your current certificate and issuing a new one is a solid practice that will give you true confidence in all communication going forward. The real risk is the fact that the private keys, once leaked, are leaked forever. If you can get past that, you can get past the entire problem."

1  2  Next Page