Skip to main content

Open SSL Heartbleed bug - Patch Download - How to test whether a server's security is compromised.



What is Open SSL Heartbleed bug?
Open SSL is a widely used Open source encryption library that uses  Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols and various cryptography libraries to provide a robust and secure server environment. OpenSSL enables SSL and TLS encryption, which governs HTTPS the secure communications between your computer and the servers on the Internet. It is used by about 2/3 of the web servers in the world.

 OpenSSL vulnerability ("Heartbleed," CVE-2014-0160)
 Common Vulnerabilities and Exposures system (CVE) the dictionary of standardized identifiers for common computer vulnerabilities and exposures identifies Heartbleed bug as  CVE-2014-0160 (Ref : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 ). On April 7, 2014 this shocking bug was discovered  in TLS heartbeat extension of OpenSSL by Neel Mehta of Google Security, which was too bad that enabled Cyber hackers to reach across the internet and silently steal passwords, crypto-keys, and other sensitive information from vulnerable systems. This vulnerability was the result of a programming error (or bug) in several versions of OpenSSL, ie, due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension
This tiny flaw in the most widely used encryption library allows any attackers to secretly access any  vulnerable systems, from your bank's HTTPS server to your private VPN, to steal passwords, login cookies, private crypto-keys and many more.


At its worst, Heartbleed allowed potential access to a private key for an SSL certificate as well as the encrypted communication itself. This basically means that any individual with the knowledge and skills required to exploit this vulnerability, had a window to grab your user names, passwords and any private information you may have accessed with practically any of your online services that utilize the affected versions of the OpenSSL toolkit.

The Heartbleed bug which is a  severe memory handling error  allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. The bug lies in OpenSSL's implementation of the TLS heartbeat extension. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Affected users should upgrade to OpenSSL 1.0.1g. The process for patching this vulnerability includes updating OpenSSL, and restarting all services that are reliant on the OpenSSL libraries.

Users unable to immediately upgrade can alternatively recompile OpenSSL with:

-DOPENSSL_NO_HEARTBEATS.


How Heartbleed bug exploited by hacker?
source:wikipedia
The heartbleed bug is exploited by sending a malformed heartbeat request with a small payload and large length field to the server in order to elicit the server's response permitting attackers to read up to 64 kilobytes of server memory that was likely to have been used previously by SSL. Where a Heartbeat Request might ask the server to "send back the four-letter word 'bird'", resulting in a server response of "bird", a malicious Heartbleed Request of "send back the 500-letter word 'hat'" would cause the server to return "hat" followed by whatever 497 characters the server happened to have in active memory. Attackers in this way could receive sensitive data, compromising the security of the server and its users...Wikipedia


Download patch for Heartbleed bug
Bug may impact versions of OpenSSL 1.0.1 on Linux Operating Systems to include: Debian, RHEL, Fedora, Ubuntu, and CentOS.   Vulnerable servers must be patched with an updated version of openssl and any services using openssl libraries must be restarted.

A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. The patch was added by Adam Langley and Bodo Moeller.
 

Popular webservices has updated servers with Heartbleed patch.

Get Patch from here:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=731f431497f463f3a2a97236fe0187b11c44aead


http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902

Online Vulnerability Test services
You may check  whether your server is affected by  Heartbleed bug by using any of the below given online services:
 
https://filippo.io/Heartbleed/

http://www.tripwire.com/securescan/?home-banner/ 
http://www.arbornetworks.com/asert/2014/04/heartbleed/
https://www.ssllabs.com/ssltest/

As a matter of security it is recommended that you change Passwords of your Email or any other online services that you are using.

For more details visit:

Read more about  Heartbleed bug http://heartbleed.com/
Read from Wiki : http://en.wikipedia.org/wiki/Heartbleed

Visit Open SSL website: https://www.openssl.org/


SANS ISC: https://isc.sans.edu/forums/diary/OpenSSL+CVE-2014-0160+Fixed/17917

Linux distribution response
Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/
Fedora: https://lists.fedoraproject.org/pipermail/announce/2014-April/003205.html
RHEL: https://rhn.redhat.com/errata/RHSA-2014-0376.html
CentOS: http://www.spinics.net/lists/centos-announce/msg04910.html
Debian: https://security-tracker.debian.org/tracker/CVE-2014-0160

Popular posts from this blog

How to apply for a new ration card and what are the documents required?

List of documents required for new ration card application in Kerala and how to apply


Application for a new ration card should be addressed to Taluk Supply Officer (TSO) / City Rationing Officer (CRO) of applicant's residing area.

Primary document required are Residence certificate, Income certificate and incase the applicant's name is in another ration card then he/she should submit the reduction certificate ontained from previous TSO / CRO as proof for removing his/her name from old Ration card.

You can get the new application from your currently residing Taluk Supply Office.

Payback Points - How to redeem - How to merge multiple payback accounts - Block Payback card - Payback customer care

Joomla and Forum Integration - Integrating Forums to Joomla

Joomla is one of the most popular CMS opensource packages. It is very easier to develop website's using Joomla. You just need to download Joomla package from Joomla's Official website www.joomla.org  and install it on your domain and later adding customizations to templates and feature and Your website is ready :). Now a days most websites provides a forum section for it users for discussing various article topics, gathering opinions etc.



Following are some best know forum opensource packages which can be integrated with Joomla and create a new forum experience for users


Urgent Openings for PHP trainees, Andriod / IOS developers and PHP developers in Kochi Trivandrum Calicut and Bangalore. Please Send Your updated resumes to recruit.vo@gmail.com   Read more »
Member
Search This Blog