You can now find Cyber Kendra on Google News!

Heartbleed - OpenSSL Zero-day Bug leaves Millions of websites Vulnerable

openssl heartbeat, openssl heart bleed, Heartbleed - OpenSSL Zero-day Bug leaves Millions of websites Vulnerable, Codenomicon, OpenSSL vulnerability, Heartbleed bug, About The Bug - HeartBleed, flaw is in the popular OpenSSL cryptographic software, read up to 64kilobytes, Google Security engineer
On Monday, A potentially critical security vulnerability in OpenSSL has been discovered by a independent security firm Codenomicon along with the Neel Mehta a Google Security engineer, that allows an attacker to read up to 64kilobytes of memory from the server running a vulnerable OpenSSL version.

The flaw is in the popular OpenSSL cryptographic software library and its weakness allows cyber criminals to steal the information protected, under normal conditions, by the SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption used to secure the Internet.

OpenSSL is an open-source implementation of the SSL and TLS protocols. It is a cryptographic library which is used for encrypting communication between web server and users. It is being used by almost all popular organisation websites including Yahoo, Google, Twitter and even Apache web server that powers almost half of the websites over internet utilizes OpenSSL.

About The Bug - HeartBleed
The Bug was named as "Heartbleed bug" vulnerability is located in HeartBeat extension and it leads to memory leak. This Critical Bug with a code ID CVE-2014-0160 , allows the attacker to expose up to 64kB of memory from the server or a connected client computer running a vulnerable version of OpenSSL software. In other words, attacker can steal the private or encrypted important information as like username and passwords and other confidential data remotely.

“We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, usernames and passwords, instant messages, emails and business critical documents and communication.” Researcher noted on the post.

How to Fix it ?
For this critical bug, researcher have fixed this vulnerability and issued a new version of the OpenSSL software (v1.0.1g). Server using OpenSSL 1.0.1 and 1.0.1f, are vulnerable to this bug and are recommend to upgrade the software to its latest version (which is just released). 

Details of the Bug
As for the details and POC of the Vulnerability researcher posted it on GitHub. Additionally you all can check from this website that your server is vulnerable to this bug or not. 

Post a Comment