Beware of Bleeding Hearts (Updated)

A recently discovered vulnerability, identified as Common Vulnerabilities and Exposures (CVE) CVE-2014-0160, but more commonly called HeartBleed Vulnerability, has been acknowledged by the Open SSL Organization and the Finnish Cert Team. This is an attack against the transport layer security protocol (TLS/DTLS) hearbeat extension. When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

This vulnerability is pretty serious in that it is transparent to the administrators, as there is no log of the attack. When an attack is carried out, the attacker can perform a memory dump of the target machine, 64 kilobytes at a time. Fortunately the attacker doesn’t get to choose which 64k they will get, but they can make multiple attacks at a time, collecting the entire memory. The attacker can directly contact the vulnerable service or attack any user connecting to a malicious service.

One of the discovering agencies, Codenomicon Defensics posted in an F.A.Q. that some of the information they were able to obtain when testing were "secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

This bug was introduced to OpenSSL in December 2011 and has been out since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

Unlike the recent “goto fail” vulnerability in OS X, and the similar one in GnuTLS, this is not a man-in-the-middle attack. However, once this attack is used and the SSL keys are obtained, the attack can result in a man-in-the-middle attack.

There are several websites devoted to detailed analysis, such as https://heartbleed.com, and to testing the servers for the vulnerability such as http://filippo.io/Heartbleed/, while security vendors are working hard to set up honeypots and tools to detect these threats.

Tenable released such detection on the 8th of April: http://www.tenable.com/plugins/index.php?view=single&id=73412. This plugin can test HTTPS (and everything direct SSL, really) but also IMAP, LDAP, NNTP, POP, SMTP, XMPP and more. Tenable also released a plugin for its Passive Vulnerability Scanner (PVS): http://www.tenable.com/8194.html. This plugin checks if the remote web server is running an instance of OpenSSL that may be affected by an information disclosure vulnerability. The Nessus plugin is a local patch checking plugins for just about every Linux OS out there which check for this vulnerability safely and accurately, and the PVS plugin detects this by sniffing the network.

The only fix for this is to update the OpenSSL package to version 1.0.1g. It is also recommended once you are patched, if you suspect you were attacked and had leakage, to revoke your SSL key, and reissue new keys. This is the safest way to ensure your certificates can remain trusted.