There has been a security flaw in our OpenSSL, a very popular data encryption standard that has given the majority of us an assumption that the data we stored and used in our every day services were secured. However, this wasn't the case as the Heartbleed Bug gave hackers that know about it to extract a large amount of data when the assumption was that the OpenSSL standard was meant to keep these very hackers out.
What is the Heartbleed Bug
Heartbleed Bug is a serious vulnerability of the popular OpenSSL encryption standard. This weakness allows information normally protected under the SSL/TSL (normally used to secure the Internet). The bug allows anyone on the Internet to read the memory of systems protected by vulnerable versions of the OpenSSL, that has compromised keys used to encrypt data, allowing hackers to eavesdrop on communications to steal data directly from the services that users use and to impersonate them.
How to stop the leak?
As long as the vulnerable version of the OpenSSL is in use it can be abused. Fixed OpenSSL has been released and deployed. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.
Common Questions and Answers to them
1. What is the CVE-2014-0160?
CVE-2014-0160 is the official reference for this bug.
2. What makes the Heartbleed Bug unique?
Normal bugs in softwares come and go, fixed by new versions. However, this bug has left a large amount of private keys and other secrets exposed on the Internet, and considering the long exposure, ease of exploitation and attacks leaving no trace, this bug should be taken very seriously.
3. Is this a design flaw in SSL/TLS protocol?
No. This is an implementation problem.
4. What is being leaked?
Encryption is used to protect secrets that may harm your privacy or security if they leak.
5. Leaked primary key material and how to recover?
Leaked primary key material allow the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures can be bypassed. Recovery from this leak requires patching the vulnerability, renovation of the compromised keys and reissuing and redistributing new keys.
6. Leaked secondary key material and how to recover?
Leaked secondary key material are leaked user credentials (usernames and passwords) used in vulnerable services. Recovery from this leak requires owners of the service first to restore trust to the service by changing their passwords and possible encryption keys according to the instructions from the owners of the services that have been compromised. All session keys and sessions cookies should be invalidated and considered compromised.
7. What is leaked protected content and how to recover?
This is the actual content handled by the vulnerable services. It may be personal or financial details, private communication such as emails or instant messages, documents or anything seen worth protecting by encryption. The most important action to take for recovery is to restore trust to the service by changing their passwords and possible encryption keys according to the instructions from the owners of the services that have been compromised.
8. Can i detect if someone has exploited this against me?
This bug does not leave any trace of anything abnormal happening to the logs.
9. How can OpenSSL be fixed?
Even though the actual code fix may appear trivial, OpenSSL team is the expert in fixing it properly so the fixed version 1.0.1g or newer should be used.
Does this affect Malaysian businesses?
As mentioned earlier, OpenSSL is a popular encryption protocol that is widely accepted worldwide. And a large number of Malaysian businesses use this to encrypt their data. Consider change quickly as this may affect your sensitive information.
What versions of the OpenSSL are affected?
status of different versions:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December in 2011 and has been out in the wild since OpenSSL released 1.0.1 on 14th March 2012. OpenSSL 1.0.1g released on 7th April 2014 fixes the bug.
Recovery sounds laborious is there a shortcut?
After the consequences of this bug was properly identified and to the extent of which it could affect any user or provider, we (here at EVERWORKS) took laborious steps to address this issue to ensure that the possible compromise of our primary and secondary key material was protected. All this just in case we were not the first ones to discover this and this could have been exploited already.
For Malaysians you can refer to MyCERT for Information Disclosure on this Vulnerability.