News began circulating yesterday about a flaw in OpenSSL that impacts about two thirds of the Internet's web sites. The bug, nicknamed Heartbleed, has actually been around for two years, but has just recently hit the spotlight due to increased awareness of security issues from high profile cases.
Originally identified by a team of independent security engineers at Codenomicon and Google, several companies are racing to overcome the bug, including Microsoft, Yahoo, PayPal, and Amazon.
OpenSSL is an SSL/TLS toolkit that includes cryptographic libraries and is the basis of open source PKI development. It's estimated that 2 out of every 3 SSL certificates are issued using OpenSSL. Thieves exploiting the bug can steal private user information including passwords, healthcare data, and banking information, all without the user's knowledge. SSL/TLS provides secure communications and privacy for the Internet, email, instant messaging, and VPNs. And, since the bug is 2 years old, it's hard to estimate how many users have already been impacted.
Interestingly, it's the newer versions of OpenSSL that are vulnerable. Versions prior to 1.0.1 are not affected by the vulnerability. Any version above 1.0.1, including the 1.0.2 beta are susceptible. A patch is now available in the form of an update. OpenSSL 1.0.1g released on April 7, 2014 fixes the bug.
A web site, dedicated to the server vulnerability, provides continuing information on the issue, the fixes, and affected server operating systems:
There's been no response as to why it took so long for this high-impact bug to be addressed, or even become newsworthy, and might simply highlight a flaw in the open source community itself.
An online tool is available to test web servers for the flaw. Just enter a domain name and the SSL port being used:
Qualys also provides an online web site tester:
However, as this bug has finally gotten enough attention, more potential exposures are being revealed. Anything that relies on OpenSSL for communication is vulnerable. Here's just a short list example (but it's growing): any Linux-based appliance, routers, Steam, iOS, Android, Mac OS, Smart TVs, DVD/Blu-Ray players, set-top boxes, OpenOffice, Apple Mobile Device Support, BartPE, Trillian, Plesk, ActivePerl, MailEnable, Gene6 FTP, Kindle for PC, IMAPSize, BIND DNS, wput, HP ProLiant System Management and HP Version Control Agent software.
It's being estimated that it may take ten years to clean this one up completely.