This is an apocalypse. The world is on fire. The sky is falling. Everything you hold sacred has now turned to dust.
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
Earlier today, a bunch of security researchers unleashed CVE-2014-0160 (CODENAME: Heartbleed) into the world. It is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). It powers about 66% of internet connected devices. I can guarantee that everyone who uses the internet would use it at some point in their day to day activities.
What’s frightening is that this bug has been around for more than 2 years. It is extremely likely that it has been exploited by multiple intelligence agencies and blackhats. Exploitation of this bug also leaves no traces of anything abnormal happening in the logs.
Note that both servers and clients are affected. This means that a malicious server could dump the secrets in your client’s memory without you knowing.
In short, the vulnerability disclosed allows an attacker to read the memory of the affected system. Memory is where an attacker would find passwords and private keys as well as other decrypted and sensitive information.
Don’t understand the severity of this problem? Imagine walking up to any stranger and saying “Hey, how’s it going?”. Immediately, he/she will share with you whatever was on their mind at that point in time. It could likely be a private thought, a secret they do not want anyone else to know about. You could keep asking as many times as you wanted and the stranger would tell you new things each time. On top of that, the stranger would not have a clue of it occuring.
As an end user, there’s nothing much you can do. Except, turn the internet off and go for a walk until the bug is patched. Do not use any web services that are vulnerable as they may leak your username and password, or worse, credit card information. More importantly, do not visit sites that you do not trust.
Change your passwords and API keys only after web services fix the issues. Prematurely changing them could be riskier than leaving them unchanged. Information used most recently are the ones being leaked. For example, private keys are leaked on the first request after a restart.
If you own a server that runs OpenSSL, here’s a list of things you should do.
Some PoCs have since been released.
Published on 8 Apr 2014 by Stanley Tan