Heartbleed OpenSSL Bug Needs Serious Attention, Say Experts


A popular open source encryption protocol contains a serious vulnerability that threatens to expose protected communication in a variety of Unix and Linux systems including widely deployed Apache Web servers.

The critical issue impacts hundreds of thousands of servers globally, and could put Internet users at risk, say security experts.

The OpenSSL Project has issued an update to the OpenSSL library correcting the flaw, which has been in existence for at least two years. OpenSSL is used to implement the SSL and TLS protocols that encrypt some web-based email services, instant messaging and other communications, including the browser session of users when conducting some banking and ecommerce transactions.

The vulnerability is being dubbed the Heartbleed bug because the vulnerability is in the way OpenSSL handles Heartbeat Extension packets, used to keep a secure connection without continuous data transfer between two points. A remote attacker could obtain sensitive information from process memory leaks, including the digital certificate keys used to encrypt the communication. In its advisory, The OpenSSL Project is urging users to immediately upgrade to OpenSSL 1.0.1g.

[Related: Microsoft Patch Tuesday: Retire Comfortably, Windows XP]

Finnish-based software testing tool maker Codenomicon said Heartbleed enables an attacker to gain access to 64 KB of memory, just enough to expose the secret keys used for digital certificates. Once the keys are stolen, an attacker can conduct man-in-the-middle attacks to view encrypted data between two or more systems connecting to the impacted server. Administrators can properly patch the vulnerability by revoking keys that are used to encrypt communication and redistributing new keys, Codenomicon said. The update has to be applied to a wide variety of businesses, including manufacturers of products that use the OpenSSL library for secure communication, the firm said.

"Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users," the firm said in its advisory. "Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use."

Solution providers say they are warning clients about the vulnerability and working with them to get their systems patched. Don Gray, chief security strategist at Omaha, Neb.-based managed security services provider Solutionary, a subsidiary of NTT Group, called the flaw extremely serious and said his firm has issued an advisory to clients. While the update repairing the flaw is not complicated, a stolen encryption key can enable an attacker to gain long-term access to communications that is meant to be secure.  

"The real issue here is that there is no guarantee that the server hasn't already been compromised," Gray said. "If you apply the patch you've fixed the bug, but you haven't fixed the whole issue, because it is untraceable to know if someone has compromised the key prior to applying the patch."

PUBLISHED APRIL 8, 2014