Serious OpenSSL bug renders websites wide open

Powered by SC Magazine
 

Heartbleed headache.

A serious vulnerability in the popular OpenSSL cryptographic library has been discovered that allows attackers to steal information unnoticed.

Known as the Heartbleed bug, the vulnerability allows anyone on the Internet to read the memory of systems that run vulnerable versions of OpenSSL, revealing the secret authentication and encryption keys to protect the traffic.

User names, passwords and the actual content of the communications can also be read.

OpenSSL is used to protect websites, instant messaging, email server protcols, virtual private networks and other communications.

The programming mistake has left large amounts of private keys and and other secrets exposed to the Internet for a long time, according to Finnish security consultants Codenomicon. Attackers can read the memory of vulnerable systems in 64 kilobyte chunks, until they have the required information to succesfully compromise them.

The flaw was introduced in OpenSSL in December 2011, and has been "out in the wild" or known to attackers since March 2012.

No man-in-the-middle techniques of interception are required to exploit the out-of-bounds memory bug, and attacks leave no trace on vulnerable systems.

The flaw, discovered by Google engineers Neel Mehta and Adam Langley as well separately by Codenomicon, affects OpenSSL versions 1.0.1 and 1.0.2-beta.

OpenSSL recommends that uses immediately upgrade to version 1.0.1g. If that's not possible, users should recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag to remove the the heartbeat handshake. The 1.0.2 version of OpenSSL will be fixed with beta 2.

Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2 are all listed as vulnerable to the Heartbleed bug.

Copyright © iTnews.com.au . All rights reserved.


Serious OpenSSL bug renders websites wide open
 
 
 
Top Stories
IBM, NEC picked for major NSW Transport deals
Final contract negotiations begin.
 
Govt proposes crackdown on ISPs over piracy
Wants new legal powers for copyright industry.
 
Westpac interim CIO resigns
Group CIO yet to be appointed.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  30%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  21%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1008

Vote