If you haven’t already heard, a major exploit in OpenSSL was discovered recently. The Heartbleed Bug, which is as scary as it sounds, allows an attacker to capture potentially sensitive information from a server’s memory by exploiting a flaw in the implementation of the heartbeat function of OpenSSL’s SSL/TLS implementation.
How it Works
SSL/TLS, the encryption protocol commonly used for securing traffic between web browsers and servers, has a feature called a “heartbeat.” Every now and then, an exchange like this happens between the client and the server:
Client: You still there? If so, send back “ALIVE,” which is five characters.
If the heartbeat succeeds, the connection stays open. This keeps happening, over and over, with a different value being passed each time.
Now here’s what happens if someone exploits the Heartbleed bug:
Client: You still there? If so, send back “KITTEN,” which is 300 characters.
Server: KITTEN, and here’s a block of random memory from RAM!
In this manner, an attacker can get a random 64KB chunk of data from memory every time a heartbeat is sent, thanks to a lack of validation of the length parameter. (So an attacker can just repeatedly make attempts.) Eventually, they’d get lucky and find something interesting. Such as the SSL certificate or users’ passwords and data.
Exploiting this bug is trivial. (There were people posting scripts to test for the vulnerability minutes after it was announced. Just imagine how quickly malicious types got to work implementing exploits for the bug!) It’s also possible that someone knew about it months or even a couple years ago, and has been exploiting it ever since. Bloomberg even suggests that the NSA has known about it for two years, and has been exploiting it rather than disclosing the problem.
Is it Fixed?
Yes! Your Linux distro should already have patched builds in their package manager, so it’s just a simple manner of running a couple of commands to update your
libssl1.0.0 packages, then restarting any services that depend on SSL. (Or just do a full reboot if you’re paranoid.) In the case of Ubuntu, you’d just do something like this to update the packages:
sudo apt-get update sudo apt-get dist-upgrade
You should now revoke any SSL certificates and issue new ones, in case they were leaked in an exploit of the bug.
What Should I Do, as a User?
Change your passwords! For anything important—email, banking, etc.—you should consider picking a new password.