Critical vulnerability in OpenSSL 1.0.1 and 1.0.2-beta

A few hours ago, The OpenSSL Project employees released a security bulletin that reports the critical vulnerability CVE-2014-0160 in the popular cryptographic library OpenSSL.

The vulnerability is due to the lack of necessary border verification in one of the Heartbeat Extension Procedures (RFC6520) for the TLS / DTLS protocol. Because of this small error of one programmer, anyone gets direct access to the RAM of computers whose communications are “protected” by the vulnerable version of OpenSSL. In particular, an attacker gains access to secret keys, user names and passwords and all content that must be transmitted in encrypted form. In this case, there is no trace of penetration into the system.

Someone who knew about the vulnerability could listen to “encrypted” traffic on almost the entire Internet since March 2012, when OpenSSL version 1.0.1 was released. At that time, a successful attack on TLS (BEAST) was demonstrated, and many switched to a secure version of TLS 1.2, the appearance of which coincided with the release of OpenSSL 1.0.1.

The vulnerable version of OpenSSL is used in the popular Nginx and Apache web servers, on mail servers, IM servers, VPNs, as well as in many other programs. The damage from this bug is extremely great.

Some operating system distributions with a vulnerable version of OpenSSL:

• Debian Wheezy (stable), OpenSSL 1.0.1e-2 + deb7u4)
• Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11)
• CentOS 6.5, OpenSSL 1.0.1e-15)
• Fedora 18, OpenSSL 1.0.1e-4
• OpenBSD 5.3 (OpenSSL 1.0.1c) and 5.4 (OpenSSL 1.0.1c)
• FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c)
• NetBSD 5.0.2 (OpenSSL 1.0.1e)
• OpenSUSE 12.2 (OpenSSL 1.0.1c)

Distributions with earlier versions of OpenSSL: Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14, SUSE Linux Enterprise Server.

The bug is present in all versions of the OpenSSL 1.0.1 and 1.0.2-beta branches, including 1.0.1f and 1.0.2-beta1. The corrected version is 1.0.1g, which all victims must install immediately, then generate new keys and certificates and take other security measures. Users should be warned of a possible leak of their passwords. If it is not possible to immediately update the fixed version, you should recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.

The vulnerability was discovered by information security experts from Codenomicon, as well as, independently of them, Neel Mehta from the Google Security division. It was the latter who informed the developers of The OpenSSL Project that they urgently needed to fix the code. The Codenomicon guys prepared a detailed description of the bug and even opened a separate Heartbleed.com website with a picture of a bleeding heart for it.