Heartbleed - OpenSSL Zero-day Bug leaves Millions of websites Vulnerable

On Monday, A potentially critical security vulnerability in OpenSSL has been discovered by an independent security firm Codenomicon along with Neel Mehta a Google Security engineer, that allows an attacker to read up to 64kilobytes of memory from the server running a vulnerable OpenSSL version.

The flaw is in the popular OpenSSL cryptographic software library and its weakness allows cybercriminals to steal the information protected, under normal conditions, by the SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption used to secure the Internet.

OpenSSL is an open-source implementation of the SSL and TLS protocols. It is a cryptographic library that is used for encrypting communication between the web server and users. It is being used by almost all popular organization websites including Yahoo, Google, Twitter, and even Apache web server that powers almost half of the websites over the internet and utilizes OpenSSL.

About The Bug - HeartBleed

The Bug was named the "Heartbleed bug" vulnerability is located in the HeartBeat extension and it leads to memory leaks. This Critical Bug with a code ID CVE-2014-0160, allows the attacker to expose up to 64kB of memory from the server or a connected client computer running a vulnerable version of OpenSSL software. In other words, attackers can steal private or encrypted important information such as usernames and passwords and other confidential data remotely.

“We have tested some of our own services from the attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able to steal from ourselves the secret keys used for our X.509 certificates, usernames and passwords, instant messages, emails, and business-critical documents and communication.” The researcher noted this in the post.

How to Fix it?

For this critical bug, researchers have fixed this vulnerability and issued a new version of the OpenSSL software (v1.0.1g). Servers using OpenSSL 1.0.1 and 1.0.1f, are vulnerable to this bug and are recommended to upgrade the software to its latest version (which is just released). 

Details of the Bug

As for the details and POC of the Vulnerability, the researcher posted it on GitHub. Additionally, you can check from this website whether your server is vulnerable to this bug or not.