Heartbleed Bug / CVE-2014-0160

foby.sebastian · 10th April 2014, 14:50

A major new vulnerability called Heartbleed could let attackers gain access to users' passwords and fool people into using bogus versions of Web sites A flaw in software that's widely used to secure Web communications means that passwords and other highly sensitive data could be exposed.

Internet users advised to change passwords due to 'Heartbleed' bug

http://www.latimes.com/business/tech...#axzz2yRefVfKm

An open-source software called OpenSSL that's widely used to encrypt Web communications. Heartbleed can reveal the contents of a server's memory, where the most sensitive of data is stored, including private data such as usernames, passwords, and credit card numbers. It also means an attacker can get copies of a server's digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future.
Also one more thing those people who do or does online transaction or business , please don't do any online shopping or banking for a few days.
It will be highly risk not like a other vulnerabilities ,but this one is extremely serious.

The vulnerability is officially called CVE-2014-0160 but is known as Heartbleed.

Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

You can take the Heartbleedtest in the below link

http://filippo.io/Heartbleed/

There are quite a few operating system distributions that have shipped with potentially vulnerable OpenSSL version.

arsudarsan · 10th April 2014, 16:14

Changing passwords is useless until the fix is adopted by everyone using OpenSSL since they would anyway be able to steal your passwords with the current system!

Rehaan · 10th April 2014, 16:16

^ True. Though most major sites have applied the fix already.

Here's a list of sites, which ones are/were vulnerable, and which ones have been fixed :
http://mashable.com/2014/04/09/heart...m-fb-main-link

cya
R

msdivy · 10th April 2014, 16:19

The affected versions are OpenSSL 1.0.1a to OpenSSL 1.0.1f and OpenSSL 1.0.2-beta. Should be a concern if you use these versions. Otherwise no worry.

Quote:

Originally Posted by foby.sebastian

Internet users advised to change passwords due to 'Heartbleed' bug

It is recommended to change password after the server is updated with the fixed package of OpenSSL. Fix is either using OpenSSL 1.0.1g or compiling existing package with OPENSSL_NO_HEARTBEATS flag.

msdivy · 11th April 2014, 10:36

Quote:

Originally Posted by foby.sebastian

You can take the Heartbleedtest in the below link
http://filippo.io/Heartbleed/

Got info that the filippo site was showing few false positives (either the results were interpreted wrongly or the site didn't scale for the traffic). Fortunately SSL Labs have updated to detect heartbleed bug. Along with this, they do other comprehensive SSL checking. Link: https://www.ssllabs.com/ssltest/

The predominantly affected applications are Apache & Nginx web servers (which has affected versions OpenSSL package). The reason is these form the bulk of web servers used on Internet. Some estimate around 18% of web-server are vulnerable. Note that applications which don't use OpenSSL (like Microsoft) are not affected.

The curious thing about this bug it almost impossible to detect whether there has been a breach or not. So if somebody is using affected versions of OpenSSL, you have to,
1) Upgrade to fixed version of OpenSSL ASAP
2) Revoke old certificates & get fresh certificates
3) Advice your users to change their passwords.

It is scary to imagine this bug existed for 2 years.

Samurai · 11th April 2014, 11:00

This affects all Linux OS and Linux web servers since they all use openssl. Please update quickly. Windows web server (IIS) doesn't use openssl, so users can breath easy.

I have many products using openssl in both Windows and Linux, but none of the openssl ones are open to public. That is a relief.

10th April 2014, 14:50	#1
foby.sebastian Senior - BHPian Join Date: Feb 2008 Location: Thrissur/Kochi Posts: 2,697 Thanked: 2,840 Times View My Garage	Heartbleed Bug / CVE-2014-0160 A major new vulnerability called Heartbleed could let attackers gain access to users' passwords and fool people into using bogus versions of Web sites A flaw in software that's widely used to secure Web communications means that passwords and other highly sensitive data could be exposed. Internet users advised to change passwords due to 'Heartbleed' bug http://www.latimes.com/business/tech...#axzz2yRefVfKm An open-source software called OpenSSL that's widely used to encrypt Web communications. Heartbleed can reveal the contents of a server's memory, where the most sensitive of data is stored, including private data such as usernames, passwords, and credit card numbers. It also means an attacker can get copies of a server's digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future. Also one more thing those people who do or does online transaction or business , please don't do any online shopping or banking for a few days. It will be highly risk not like a other vulnerabilities ,but this one is extremely serious. The vulnerability is officially called CVE-2014-0160 but is known as Heartbleed. Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. You can take the Heartbleedtest in the below link http://filippo.io/Heartbleed/ There are quite a few operating system distributions that have shipped with potentially vulnerable OpenSSL version.
	() Thanks

10th April 2014, 16:14	#2
arsudarsan BHPian Join Date: Nov 2008 Location: Chennai Posts: 98 Thanked: 32 Times	Re: Heartbleed Bug / CVE-2014-0160 Changing passwords is useless until the fix is adopted by everyone using OpenSSL since they would anyway be able to steal your passwords with the current system!
	() Thanks

10th April 2014, 16:16	#3
Rehaan Team-BHP Support Join Date: Feb 2004 Location: Bombay Posts: 24,068 Thanked: 34,220 Times	Re: Heartbleed Bug / CVE-2014-0160 ^ True. Though most major sites have applied the fix already. Here's a list of sites, which ones are/were vulnerable, and which ones have been fixed : http://mashable.com/2014/04/09/heart...m-fb-main-link cya R
	() Thanks

11th April 2014, 11:00	#6
Samurai Team-BHP Support Join Date: Jan 2005 Location: Bangalore/Udupi Posts: 25,836 Thanked: 45,713 Times View My Garage	Re: Heartbleed Bug / CVE-2014-0160 This affects all Linux OS and Linux web servers since they all use openssl. Please update quickly. Windows web server (IIS) doesn't use openssl, so users can breath easy. I have many products using openssl in both Windows and Linux, but none of the openssl ones are open to public. That is a relief.
	() Thanks