Monier Shokry

Introduction:

Heartbleed is not problem with SSL/TLS protocol, it’s a security bug in the open-source library openSSL library Which is wildly used to implement the internet transportation layer security (TLS) protocol. This bug is considered as Buffer-over-read where software allows more data to be read than allowed  which means it allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet .

  • Why it’s serious?
  • How to detect if you are affected ?
  • How common are the vulnerable OpenSSL versions?
  • How about operating systems?
  • How to fix it?
  • References.

Why it’s serious?

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

How common are the vulnerable OpenSSL versions?

The vulnerable versions have been out there for over two years now and they have been rapidly adopted by modern operating systems. A major contributing factor has been that TLS versions 1.1 and 1.2 came available with the first vulnerable OpenSSL version (1.0.1) and security community has been pushing the TLS 1.2 due to earlier attacks against TLS.

How about operating systems?

Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:

  • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
  • CentOS 6.5, OpenSSL 1.0.1e-15
  • Fedora 18, OpenSSL 1.0.1e-4
  • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
  • FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:

  • Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
  • SUSE Linux Enterprise Server
  • FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
  • FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
  • FreeBSD 10.0p1 - OpenSSL 1.0.1g (At 8 Apr 18:27:46 2014 UTC)
  • FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

How to detect if you are affected?

 You can test if you are vulnerable by requesting a heartbeat response with a large response. If the server replies your SSL service is probably vulnerable. You can use any of the tests below:

How to fix it?

  • Upgrade the OpenSSL version to 1.0.1g

     

  • Request revocation of the current SSL certificate
  • Regenerate your private key
  • Request and replace the SSL certificate

References.

 

 

Leave a Reply

Your email address will not be published.

Captcha