Security researchers from Codenomicon and Google unveiled on Monday the existence of a bug in certain versions of OpenSSL, the library that encrypts and secures web transactions as well as many other network services.
Bugs are discovered in software all the time, but this one has generated far more attention and panic. Why? Some estimate OpenSSL secures almost 2/3 of the entire web. Furthermore, this bug allows exactly what a security library is meant not to do: allow attackers to get decrypted versions of encrypted traffic. This bug is really bad. As the bug is in the “heartbeat” feature of TLS and it bleeds secure information to attackers, the security community has dubbed this bug HeartBleed.
In the very worst case, it could mean that a website’s private key could be compromised, allowing a successful attacker to impersonate that website and listen to all encrypted traffic going to it. In slightly less disastrous cases, it could expose usernames, passwords, credit card numbers, or sensitive documents.
In short, anybody running any SSL/TLS protected web and network services need to stop what they’re doing and ensure they’re not exposed by this bug.
The bug affects only certain versions of OpenSSL; any version of the 1.0.1 release until 1.0.1g contain the vulnerability. Unfortunately, this includes many of the most popular Linux and BSD distributions like Ubuntu, CentOS, and FreeBSD. The security researchers and the OpenSSL team released patches to the vulnerable versions when they announced the bug to the world.
Check out Celerity’s IT Risk Management Services to find out where your vulnerabilities are.