OpenSSL Heartbleed Vulnerability CVE-2014-0160

By:

on

April 10, 2014

What is "Heartbleed"?

"Heartbleed" is the common name being used to refer to a critical security vulnerability found in the OpenSSL TLS Heartbeat system. OpenSSL is a very popular encryption library in widespread use across the Internet. It is considered to be a critical piece of software infrastructure to countless organizations worldwide. It is the library in use on most Open Source systems to enable encryption, such as with HTTPS.Heartbleed Logo

The nature of the vulnerability allowed anyone to retrieve chunks of system memory from a web server with an affected OpenSSL package. This did not require any special network access, such as is the case with a "Man In The Middle" attack which would involve intercepting network packets. Rather this particular vulnerability is considered a major security threat because anyone from anywhere in the world could exploit a vulnerable server to retrieve sensitive information with no special access requirements, and no logs kept of such traffic (logging this type of traffic would be a rare exception under most regular operations).

This makes the Heartbleed vulnerability a much more severe exploit than most. Security updates for potential vulnerabilities are released on a very regular basis (ASAP), but for the most part these vulnerabilities require some level of access into the system to begin with and use that access to gain additional privileges (called "privilege escalation"). Heartbleed is different because anyone could anonymously retrieve arbitrary data from a vulnerable web server; No special access is required. To further complicate this matter, the data exposed via this attack could have included anything running on the system, including highly sensitive information such as user passwords and private encryption keys.

Is OpenConcept Secure?

OpenConcept performs regular security updates on all our servers as well as numerous client-run servers. We perform security updates on our servers at a minimum interval of weekly, with critical infrastructure such as Apache, SSL, SSH, or any other network-enabled service updates applied ASAP, as announced via security mailing lists. Under normal day-to-day conditions we simply perform these updates behind the scenes, as notifications about each security update are unlikely to be helpful to our clients and the impact is usually minimal-to-none.

Due to the widespread and critical nature of the recent OpenSSL TLS Heartbleed Vulnerability, we feel that this time additional information is necessary.

All OpenConcept servers use either Ubuntu Linux or its parent distrubution Debian Linux. Both distributions alerted their users that updated OpenSSL packages were available to address this vulnerability on Monday, April 7, 2014.

The Ubuntu Security Notice was assigned # USN-2165-1
The Debian Security Alert was assigned # DSA-2896

OpenConcept applied these updates immediately on all applicable servers. Encryption key pairs were regenerated. Many of our servers were never vulnerable to this exploit and no action was required.

We have contacted our clients who may have been affected by this issue with instructions.

For more information on this exploit, please visit
http://heartbleed.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

About The Author

Jack Of All Trades, Master Of Linux. Mike Mallett has been using and advocating the use of free source software for over 10 years. He has worked in organizations large and small, and everything in between. His professional career launched in 1999 with Ottawa-based Object Technology International and went on to pursue human-focused work at Nonviolence International, IDASA, and Human Rights Internet. With experience installing and configuring 20+ different operating systems, Mike has a strong fundamental understanding of modern computing.

Add new comment

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.