Home   Best Sellers   Blogging   Coding & Design   Technology   SEO   Travel & living   Career   Videos   Tips   Calculators     
Home  »     »     »  Open SSL Heartbleed bug - Patch Download - How to test whether a server's security is compromised.

Open SSL Heartbleed bug - Patch Download - How to test whether a server's security is compromised.

Monday, April 14, 2014



What is Open SSL Heartbleed bug?
Open SSL is a widely used Open source encryption library that uses  Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols and various cryptography libraries to provide a robust and secure server environment. OpenSSL enables SSL and TLS encryption, which governs HTTPS the secure communications between your computer and the servers on the Internet. It is used by about 2/3 of the web servers in the world.

 OpenSSL vulnerability ("Heartbleed," CVE-2014-0160)
 Common Vulnerabilities and Exposures system (CVE) the dictionary of standardized identifiers for common computer vulnerabilities and exposures identifies Heartbleed bug as  CVE-2014-0160 (Ref : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 ). On April 7, 2014 this shocking bug was discovered  in TLS heartbeat extension of OpenSSL by Neel Mehta of Google Security, which was too bad that enabled Cyber hackers to reach across the internet and silently steal passwords, crypto-keys, and other sensitive information from vulnerable systems. This vulnerability was the result of a programming error (or bug) in several versions of OpenSSL, ie, due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension
This tiny flaw in the most widely used encryption library allows any attackers to secretly access any  vulnerable systems, from your bank's HTTPS server to your private VPN, to steal passwords, login cookies, private crypto-keys and many more.


At its worst, Heartbleed allowed potential access to a private key for an SSL certificate as well as the encrypted communication itself. This basically means that any individual with the knowledge and skills required to exploit this vulnerability, had a window to grab your user names, passwords and any private information you may have accessed with practically any of your online services that utilize the affected versions of the OpenSSL toolkit.

The Heartbleed bug which is a  severe memory handling error  allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. The bug lies in OpenSSL's implementation of the TLS heartbeat extension. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Affected users should upgrade to OpenSSL 1.0.1g. The process for patching this vulnerability includes updating OpenSSL, and restarting all services that are reliant on the OpenSSL libraries.

Users unable to immediately upgrade can alternatively recompile OpenSSL with:

-DOPENSSL_NO_HEARTBEATS.


How Heartbleed bug exploited by hacker?
source:wikipedia
The heartbleed bug is exploited by sending a malformed heartbeat request with a small payload and large length field to the server in order to elicit the server's response permitting attackers to read up to 64 kilobytes of server memory that was likely to have been used previously by SSL. Where a Heartbeat Request might ask the server to "send back the four-letter word 'bird'", resulting in a server response of "bird", a malicious Heartbleed Request of "send back the 500-letter word 'hat'" would cause the server to return "hat" followed by whatever 497 characters the server happened to have in active memory. Attackers in this way could receive sensitive data, compromising the security of the server and its users...Wikipedia


Download patch for Heartbleed bug
Bug may impact versions of OpenSSL 1.0.1 on Linux Operating Systems to include: Debian, RHEL, Fedora, Ubuntu, and CentOS.   Vulnerable servers must be patched with an updated version of openssl and any services using openssl libraries must be restarted.

A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. The patch was added by Adam Langley and Bodo Moeller.
 

Popular webservices has updated servers with Heartbleed patch.

Get Patch from here:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=731f431497f463f3a2a97236fe0187b11c44aead


http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902

Online Vulnerability Test services
You may check  whether your server is affected by  Heartbleed bug by using any of the below given online services:
 
https://filippo.io/Heartbleed/

http://www.tripwire.com/securescan/?home-banner/ 
http://www.arbornetworks.com/asert/2014/04/heartbleed/
https://www.ssllabs.com/ssltest/

As a matter of security it is recommended that you change Passwords of your Email or any other online services that you are using.

For more details visit:

Read more about  Heartbleed bug http://heartbleed.com/
Read from Wiki : http://en.wikipedia.org/wiki/Heartbleed

Visit Open SSL website: https://www.openssl.org/


SANS ISC: https://isc.sans.edu/forums/diary/OpenSSL+CVE-2014-0160+Fixed/17917

Linux distribution response
Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/
Fedora: https://lists.fedoraproject.org/pipermail/announce/2014-April/003205.html
RHEL: https://rhn.redhat.com/errata/RHSA-2014-0376.html
CentOS: http://www.spinics.net/lists/centos-announce/msg04910.html
Debian: https://security-tracker.debian.org/tracker/CVE-2014-0160



How to link to this page?
If you wish to link to this page from your website, simply Copy and paste the above HTML code to your web page. It will appear on your page as:
Open SSL Heartbleed bug - Patch Download - How to test whether a server's security is compromised..




Share this!




comments powered by Disqus

This Weeks 7 Popular Posts


Subscribe to Recent Posts by Email
Stay connected to CROZOOM with regular Email notices of new Techie articles and IT Jobs. Updates will be delivered to your Inbox as soon as they are posted online.

Enter Your Email Address:  

Delivered by FeedBurner   RSS Feed

Search this Blog   



Urgent Openings for PHP trainees, Andriod / IOS developers and PHP developers in Kochi Trivandrum Calicut and Bangalore. Please Send Your updated resumes to recruit.vo@gmail.com   Read more »