Announcement Announcement Module
Collapse
No announcement yet.
Heartbleed vulnerability and Solution Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Heartbleed vulnerability and Solution

    Overview

    A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.

    Description

    OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality. This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:

    *Primary key material (secret keys)
    *Secondary key material (user names and passwords used by vulnerable services)
    *Protected content (sensitive data used by vulnerable services)
    *Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

    Exploit code is publicly available for this vulnerability.

    Impact

    This flaw allows a remote attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time.

    Solution

    OpenSSL 1.0.1g has been released to address this vulnerability. Any keys generated with a vulnerable version of OpenSSL should be considered compromised and regenerated and deployed after the patch has been applied.

    7 steps to stopping the Heartbleed SSL/TLS bug

    *Inventory all systems and servers running OpenSSL 1.0.1 and newer
    *Upgrade to OpenSSL 1.0.1g or recompile with -DOPENSSL_NO_HEARTBEATS
    *Revoke compromised keys and reissue new keys from the Certificate Authority
    *Change user passwords and encryption keys
    *All session keys and session cookies must be expired/invalidated
    *All users of systems where SSL is in use must be informed of the potential for compromise
    *Consider implementing perfect forward secrecy to protect against current and future attack.

Tag Cloud Tag Cloud Module
Collapse
Working...
X