Follow

Heartbleed OpenSSL vulnerability

What is going on?

On the 7th of April a vulnerability was found in the latest versions of OpenSSL. This vulnerability allows attackers to obtain encrypted data and the private key that is used for the encryption, combined this gives them full access to the data obtained.

 

Who is vulnerable?

Due to the widespread usage of OpenSSL this very likely impacts you as well.

If you have OpenSSL version 1.0.1 up to (and including) 1.0.1f installed on your server, you are vulnerable. Versions prior to 1.0.1 are not vulnerable. Version 1.0.1g implements a fix for this problem.

Please note: Your certificate itself is not compromised because the CSR was generated by OpenSSL. Your server is the vulnerable part, if it runs OpenSSL. If you do not run OpenSSL on your server, there is no need for further action.

 

What do I do?

First you need to make sure your server is no longer vulnerable to this issue. Apply the most recent patches (1.0.1g at the time of writing) to your OpenSSL. If this version is not yet available to your server, you can disable the heartbeat by recompiling your OpenSSL and adding the switch -DOPENSSL_NO_HEARTBEATS (If you have any doubts on this procedure, contact your system administrator).

Since this vulnerability allows the retrieval of the private key, your certificate may be compromised. With the private key any server can pretend it is your webshop, using a fully qualified and trusted certificate.

We recommend reissuing your certificate after you have updated your server so it is no longer compromised. Instructions on starting a reissue can be found here:
http://support.openprovider.eu/entries/23628481-How-do-I-reissue-a-certificate-

 

What if I do nothing?

The nature of this vulnerability allows the attacker to obtain random pieces of your server's memory and there is no way to track or notice this abuse going on, you risk having your server fully disclosed to the attacker. This will allow them to obtain information that is stored on your server like passwords or customer data.
It is definitely not recommended to 'wait it out'. Act now and protect your server.

 

Further information

The above are just the basics of the problem at hand. If you want to know more or need more information before continuing, please see the following links that explain the problem in more detail.

http://heartbleed.com/ -- A site dedicated to explaining this issue

https://www.openssl.org/news/secadv_20140407.txt -- The notification of OpenSSL

http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3 -- The fix

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.