Archive for the tag 'heartbleed bug'

Still cleaning up after the Heartbleed debacle, OpenSSL is issuing fixes for several vulnerabilities, one of them exploitable to run arbitrary code on the client or server.

Unlike Heartbleed, which had been introduced into the program not long before, affects all versions of OpenSSL, including those that were patched to fix Heartbleed.

The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1.

All client versions of OpenSSL are vulnerable. The bug was reported to OpenSSL on May 1 via JPCERT/CC.

OpenSSL provides this advice:

  • OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
  • OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m
  • OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h

Non-OpenSSL clients (IE, Firefox, Chrome on Desktop and iOS, Safari etc) aren’t affected. None the less, all OpenSSL users should be updating.

If you would like to have this vulerability patched please purchase a 1x Hour of Support plan.

Don’t hesitate to contact us for any questions you may have through our Contact Form page or LiveChat!.

A very serious vulnerability has just been discovered in OpenSSL, a very popular cryptographic library.

According to the freshly released security bulletin by The OpenSSL Project, a missing bounds check in the handling of the TLS Heartbeat Extension can be used to reveal up to 64k of memory to a connected client or server.

In practice, this allows the stealing of protected information by the SSL/TLS encryption used.

SSL/TLS protocols provide communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). Attackers can steal secret keys, user names and passwords, instant messages, emails and business’ critical documents and communication – all of this without leaving a trace.

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

As of today, a number of Nix*-like operating systems are affected, since they are packaged with vulnerable OpenSSL:

  • Debian Wheezy (Stable), OpenSSL 1.0.1e-2+deb7u4)
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11)
  • CentOS 6.5, OpenSSL 1.0.1e-15)
  • Fedora 18, OpenSSL 1.0.1e-4
  • OpenBSD 5.3 (OpenSSL 1.0.1c) ? 5.4 (OpenSSL 1.0.1c)
  • FreeBSD 8.4 (OpenSSL 1.0.1e) ? 9.1 (OpenSSL 1.0.1c)
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)

Packages with older OpenSSL versions – Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14, SUSE Linux Enterprise Server – are free of this flaw.

What versions of the OpenSSL are affected?

Status of different versions:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

If you would like to have this vulerability patched please purchase a 1x Hour of Support plan.

Don’t hesitate to contact us for any questions you may have through our Contact Form page or LiveChat!.