HeartBleed vulnerability

Some basis I’ve learned about this issue.

OpenSSL is an open-source implementation of SSL.  It is not the only implementation of SSL, and is not even the primary implementation of SSL.  Most vendors have their own implementation of SSL and TLS, which is directly related.

OpenSSL is available as an installed package, or as a utility “toolkit”.

The heart-bleed vulnerability is due to a programming error introduced in December 2011 and has been present in production releases since February 2012.

Primary places where the full package is used:  web servers such as Apache and nginx.
Common uses for toolkit use: custom – written applications that use SSL to protect their data such as VPN clients and SSL VPNs.

The estimated number of commercial web sites subject to this vulnerability is huge:  500,000 worldwide.

is Windows or Mac affected by this issue?  Not inherently – neither use an open source implementation of SSL or TLS.  However the likelihood of any of the sites you use on a regular basis being vulnerable is very high as Apache is very commonly used for commercial web sites.  Your best bet is to contact product vendors and watch the security media to understand exactly which of your products are vulnerable.

is my Linux/Unix vulnerable?  Very possibly.  OpenSSL is much more common on these systems.

can I know if I’ve been compromised?  In short, no.  The vulnerability leaves sensitive data such as private keys, usernames, passwords, and more in memory on the system in a decrypted form where it can be directly read by any program.  Testing of the currently published exploits show that they are virtually undetectable.  This is a particularly difficult vulnerability as it is difficult to impossible to tell whether a program reading this area in memory is doing it as part of normal operation or as part of the exploit.  So typical log monitoring will not identify a compromise in this instance.

Is a fix available?  are all version affected?  The vulnerability has been re-mediated in the current version.  See the link below for a list of secure versions and a list of safe and unsafe operating systems.

A good source of additional info:  http://heartbleed.com/

Leave a Comment