Serious OpenSSL bug renders websites wide open

Powered by SC Magazine
 

Heartbleed headache.

A serious vulnerability in the popular OpenSSL cryptographic library has been discovered that allows attackers to steal information unnoticed.

Known as the Heartbleed bug, the vulnerability allows anyone on the Internet to read the memory of systems that run vulnerable versions of OpenSSL, revealing the secret authentication and encryption keys to protect the traffic.

User names, passwords and the actual content of the communications can also be read.

OpenSSL is used to protect websites, instant messaging, email server protcols, virtual private networks and other communications.

The programming mistake has left large amounts of private keys and and other secrets exposed to the Internet for a long time, according to Finnish security consultants Codenomicon. Attackers can read the memory of vulnerable systems in 64 kilobyte chunks, until they have the required information to succesfully compromise them.

The flaw was introduced in OpenSSL in December 2011, and has been "out in the wild" or known to attackers since March 2012.

No man-in-the-middle techniques of interception are required to exploit the out-of-bounds memory bug, and attacks leave no trace on vulnerable systems.

The flaw, discovered by Google engineers Neel Mehta and Adam Langley as well separately by Codenomicon, affects OpenSSL versions 1.0.1 and 1.0.2-beta.

OpenSSL recommends that uses immediately upgrade to version 1.0.1g. If that's not possible, users should recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag to remove the the heartbeat handshake. The 1.0.2 version of OpenSSL will be fixed with beta 2.

Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2 are all listed as vulnerable to the Heartbleed bug.

Copyright © iTnews.com.au . All rights reserved.


Serious OpenSSL bug renders websites wide open
 
 
 
Top Stories
Matching databases to Linux distros
Reviewed: OS-repository DBMSs, MariaDB vs MySQL.
 
Coalition's NBN cost-benefit study finds in favour of MTM
FTTP costs too much, would take too long.
 
Who'd have picked a BlackBerry for the Internet of Things?
[Blog] BlackBerry has a more secure future in the physical world.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  70%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  12%
 
Denial of service attacks
  6%
 
Insider threats
  10%
TOTAL VOTES: 704

Vote