A significant security vulnerability was made public yesterday (07/04/2014) with the Open Source OpenSSL library. This software underpins many of the secure services on the Internet, and the software that provides about 66% of web servers. It is a severe threat, enabling an attacker to decrypt any content. The issue affects systems deployed in the last couple of years, older systems may not be affected.

Heartbleed logo

No warnings are issued and no traces are left in the standard logging systems, the only way to detect the issue is to capture and analyse live data, therefore making it hard to detect if a site or data has been compromised.

Applications including secure web services, e-commerce, payment providers, VPN's, in fact most services that you would consider secure, could be affected.

Resolving the issue

As the software is Open Source, the bug was able to be detected by independent engineers attempting to security test an application, then validated by security experts, and a fix was made available rapidly and is available in OpenSSL version 1.0.1g. It is in no-one's interest to hide or cover this up.

The reports start...

An early report of a major site affected by this is Yahoo as detailed in this tweet which goes as far as to show the actual password exposed by exploiting the bug:https://twitter.com/markloman/status/453502888447586304

Further details of the bug can be found here: http://heartbleed.com/, a must-read for all involved with web services from sysadmins to CTO or anyone accountable for PCI compliance and data security. The official advisory can be found here: http://www.openssl.org/news/secadv_20140407.txt

Update 09/04/20214

After a couple of days, some reflection and technical discussions, a fuller picture emerges as to the impact and steps to resolution of this issue. Having said that, there are clearly many judgements to make along the way and each person should take the time to understand how this affects them. You can find a good write-up here: http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html.

For the technical reader, an NMap NSE script that allows servers to be tested for this bug can be found here: http://seclists.org/nmap-dev/2014/q2/att-27/ssl-heartbleed.nse.

Posted by Technical team on 08/04/2014