Critical "Heartbleed" security bug found in OpenSSL protocol

Security researchers sound alarm over new OpenSSL vulnerability that could let hackers eavesdrop on communications

security key on keyboard

Security group Codonomicon has found a critical bug in OpenSSL that compromises the protocol's security.

"Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL," Codonomicon wrote. "Many of online services [sic] use TLS to identify themselves to you and to protect your privacy and transactions."

The bug, nicknamed Heartbleed, "allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users."

Codonomicon tested the vulnerability on their own systems and found they could steal their own user names, passwords, emails, IMs, and other documents without leaving a trace.

"It's pretty serious," independent security expert Graham Cluley told IT Pro.

The Heartbleed exploit takes advantage of a programming mistake in the heartbeat extension of OpenSSL. The faulty code reveals 64KB of memory that the user should not be able to access. Attackers could automate this process to scrape vulnerable documents, 64KB at a time.

The bug has been in place for two years.

"Considering the long exposure, ease of exploitation and attacks leaving no trace, this exposure should be taken seriously," Codonomicon wrote.

Problems with OpenSSL have wide-ranging implications, as it is widely used to secure online connections. Sixty six per cent of web servers (Apache and nginx), all email programs (SMTP, POP, IMAP), chat programs (XMPP), and SSL-based virtual private networks can be compromised with this bug.

Businesses should check if they are using a compromised version of a VPN, as it could expose their data to anyone.

Heartbleed makes it possible to read traffic from Linux distributions such as Debian, Ubuntu, Fedora, OpenSuse, OpenBSD, and FreeBSD.

It also compromises websites such as Paypal, Craigslist, Barclays Mobile Banking, and Amazon Web Services. Amazon has confirmed it is upgrading its services right now.

OpenSSL users concerned about fixing their systems should adopt Fixed OpenSSL, the new version without Heartbleed. Alternatively, they can recompile OpenSSL with the TLS handshake removed.

"OpenSSL users should upgrade to the latest version (1.0.1g) immediately, and regenerate their private keys," Cluley said.

Upgrading to a safe version is essential now that Heartbleed is public. More attackers know about the vulnerability and can check if a system has not fixed it yet.

Codonomicon does not know if the bug has been used to compromise other systems, as it leaves no traces in any logs.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021