What is Heartbleed?

Putting on my cryptography nerd hat for a moment.  

Everyone is talking about heartbleed.  What is it and why should you care?

In December 2011, the OpenSSL project accidentally introduced a flaw into the optional heartbeat function for a SSL to allow an SSL tunnel to stay pinned up and active over an extended lifetime.  The flaw hides in a compilation flag which is built into all openssl binaries pulled down from repositories or stock with post-May 2012 builds Unix-based operating systems.  If a system uses one of the affected openssl binaries for their secure communications, all SSL communication on that system has that flaw.

The flaw allows an attacker to read 64 random plaintext bytes out of memory.   Anything that can be resident in a process's memory -- private keys, root passwords, secure configuration files, anything secured in the SSL channel -- an attacker will get by simply starting an SSL session over and over on the targeted server.  Since authentication systems on the Internet are both Unix-based and openssl-based, authentication systems with the flaw are leaking customer credentials to intruders.  This will allow attackers to own entire email or banking services.  Worse, if the vulnerable web services are running as root (a common, but bad, practice), reading the 64 random plaintext bytes will, sooner or later, leak the information used to start the process and possibly leak root passwords to servers to the Internet allowing attackers to compromise entire systems.

Nevertheless, the panic on this one is justified.  It is a bad bug.

It is trivial to determine if your systems are affected.  Simply log into the systems terminating SSL and type:

> openssl version

Here is the vulnerability list:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

If you are like many lazy people on the Internet and you haven't patched your server in a glacial ice age, you are not susceptible to this bug but likely dozens of other security flaws so you should patch.  If you are a Sound Patcher, you are likely vulnerable.  Check your servers. 

Also it's possible your load balancers, routers, firewalls, and other network gear are vulnerable. Call your vendor immediately and find out the state of heartbleed and your gear's OS revision.  Seriously, you might be vulnerable beyond your applications -- network gear uses openssl, too.    

Fix your servers.  There are absolutely exploits that take advantage of Heartbleed right now in the wild.