Critical "Heartbleed" security bug found in OpenSSL protocol

security key on keyboard

Security group Codonomicon has found a critical bug in OpenSSL that compromises the protocol's security.

"Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL," Codonomicon wrote. "Many of online services [sic] use TLS to identify themselves to you and to protect your privacy and transactions."

The bug, nicknamed Heartbleed, "allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users."

Codonomicon tested the vulnerability on their own systems and found they could steal their own user names, passwords, emails, IMs, and other documents without leaving a trace.

"It's pretty serious," independent security expert Graham Cluley told IT Pro.

The Heartbleed exploit takes advantage of a programming mistake in the heartbeat extension of OpenSSL. The faulty code reveals 64KB of memory that the user should not be able to access. Attackers could automate this process to scrape vulnerable documents, 64KB at a time.

The bug has been in place for two years.

"Considering the long exposure, ease of exploitation and attacks leaving no trace, this exposure should be taken seriously," Codonomicon wrote.

Problems with OpenSSL have wide-ranging implications, as it is widely used to secure online connections. Sixty six per cent of web servers (Apache and nginx), all email programs (SMTP, POP, IMAP), chat programs (XMPP), and SSL-based virtual private networks can be compromised with this bug.

Businesses should check if they are using a compromised version of a VPN, as it could expose their data to anyone.

Heartbleed makes it possible to read traffic from Linux distributions such as Debian, Ubuntu, Fedora, OpenSuse, OpenBSD, and FreeBSD.

It also compromises websites such as Paypal, Craigslist, Barclays Mobile Banking, and Amazon Web Services. Amazon has confirmed it is upgrading its services right now.

OpenSSL users concerned about fixing their systems should adopt Fixed OpenSSL, the new version without Heartbleed. Alternatively, they can recompile OpenSSL with the TLS handshake removed.

"OpenSSL users should upgrade to the latest version (1.0.1g) immediately, and regenerate their private keys," Cluley said.

Upgrading to a safe version is essential now that Heartbleed is public. More attackers know about the vulnerability and can check if a system has not fixed it yet.

Codonomicon does not know if the bug has been used to compromise other systems, as it leaves no traces in any logs.