The last few days have been all about the OpenSSL Heartbleed vulnerability, officially called CVE-2014-0160. Many of you surely heard about it, read about it, and talked about it, but did you really understand what all the noise is about? TechCrunch published: Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet, and IT News reported on a serious issue at the Canada Revenue Agency.
Why is this specific security breach getting so much exposure compared to others? Well, to get a better understanding of what exactly we’re talking about I believe it’s first important to understand what is OpenSSL - as most of you probably have no clue what is it or you believe you don’t use it.
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.
Good question. Are you using Nginx? Apache? VPN? SMTP/POP/IMAP? Network Appliances? XMPP? Even if you aren’t using OpenSSL directly, each of these services could be using the OpenSSL library, and this makes you exposed.
Now what’s all the noise about Heartbleed? Well, the Heartbleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows the stealing of information, which is protected under normal conditions by the SSL/TLS encryption that is used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM), and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users, and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users, and to impersonate services and users.
Well the nature of most vulnerabilities is that a trace is left somewhere along the way allowing you to recognize whether you’ve been exploited or not. Heartbleed leaves no traces of anything abnormal happening thus making it impossible to detect exploited systems, which is why it’s so dangerous.
And for those of you using SysAid cloud services, you can sleep quietly at night knowing we already did both!