OpenSSL Zero Day Vulnerability, Heartbleed, Allows Attackers Access to Data

OpenSSL, a cryptographic library that is used to secure a large portion of the Internet, has been found to have a gaping hole in its security. The security hole is called the Heartbleed Bug (CVE-2014-0160).

OpenSSL secures a huge portion of the internet. OpenSSL secures websites utilizing HTTPS:// connections, virtual private networks (VPN’s), instant messaging software, email, and numerous applications across the web. The cryptographic software is used to secure huge portions of the Internet globally.

The Heartbleed Bug is a severe vulnerability found in OpenSSL. Heartbleed is a weakness that allows the stealing  of information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet, codenomicon reports.

The Heartbleed bug allows any internet user to read or sniff the memory of systems protected by vulnerable versions of the OpenSSL software. The bug allows for secret cryptographic keys to be compromised, username and passwords to be compromised, and virtually any sensitive data crossing the lines to be sniffed and compromised. The Heartbleed bug allows for any attacker to eavesdrop, sniff, steal, or manipulate any data from any system that is found vulnerable to the Heartbleed bug (CVE-2014-0160).

Security researchers at codenomicon tested what vulnerable systems really leak. Appearing as an attacker from the outside with no special permissions, researchers were able to steal secret keys, usernames, passwords, instant messaging logs, emails, and highly sensitive business documents and communications.

To fix the Heartbleed vulnerability, companies will have to manually install the patch. There is nothing everyday users can do to secure their communications while the bug runs free. The bug does not affect the SSL/TLS protocol that companies use to encrypt data, Heartbleed affects the OpenSSL library from a programming mistake. Reports have noted this bug can affect over %50 of the internet, as many companies use open source web servers running OpenSSL.

Lastly, the bug is its %100 undetectable. If an attacker were to steal the cryptographic keys, logins, or other highly sensitive data, the Heartbleed vulnerability leaves no trace. Malicious attackers could have already utilized this towards bigger and smaller companies, and nothing would be recognized as abnormal.

Cryptographic keys are the keys that encrypt the data in servers. If an attacker got access to such keys, emails, servers, passwords, credit cards, and other highly sensitive information could be decrypted and leaked across the web. In plain English, cyber criminals could steal highly sensitive information, and paste it on the web in plain text.

Any companies using OpenSSL, it is urged you patch this critical vulnerability with OpenSSL 1.0.1g (the updated version).

Notable Sources:

• http://heartbleed.com/
• http://www.openssl.org/news/secadv_20140407.txt
• https://access.redhat.com/security/cve/CVE-2014-0160
• http://www.ubuntu.com/usn/usn-2165-1/
• http://www.freshports.org/security/openssl/
• https://blog.torproject.org/blog/openssl-bug-cve-2014-0160