On April 8, 2014 the United States Computer Emergency Readiness Team (US-CERT) issued an alert regarding a critical vulnerability in OpenSSL (CVE-2014-0160) called Heartbleed. OpenSSL is used to secure internet communications through encryption such as SSL or TLS (HTTPS). Web servers, VPN concentrators and other platforms could be vulnerable if the affected versions of OpenSSL are in use.
Description and Impact
This vulnerability affects versions 1.0.1 – 1.0.1f and 1.0.2 – beta of OpenSSL. The vulnerability could be exploited to disclose sensitive information to an attacker and can allow the attacker to eavesdrop on communications. Data at risk could include, user credentials, data being processed by the vulnerable system and the encryption keys resident on the system.
According to US-CERT, exploit code is publicly available for this vulnerability and it is expected that attacks are already underway.
- Patch vulnerable OpenSSL versions as quickly as possible. OpenSSL 1.0.1g has been released to fix this vulnerability.
- Generate and deploy new SSL keys. Keys generated with a vulnerable version of OpenSSL should be considered compromised and regenerated with the patched version. SSL keys will then need to be redeployed to address the vulnerability.