A very unfortunate and dangerous bug has been discovered in OpenSSL that allows an attacker to read otherwise sensitive information hidden by the encryption of OpenSSL. In some cases, it allows an attacker to retrieve the private key of certificates. The vulnerability is known as CVE-2014-0160
The bug has been fully disclosed on the site heartbleed.com. Unfortunately, someone went through a lot of trouble getting massive publicity for this bug/vulnerability but did not notify the OpenSSL project first. So the vulnerability is now public, but the software may not already be patched.
How do you protect yourself? Update OpenSSL!
Most distros already have a patched version of OpenSSL included. In the case of CentOS, a workaround has been created by removing the vulnerable pieces of code from OpenSSL. A full patch is expected in the next few days.
Red Hat / CentOS / fedora
$ yum update openssl
Debian / Ubuntu
$ apt-get update $ apt-get install openssl
Restart services that rely on OpenSSL
You can find all the services on your system by running the following command as root. It lists all services that rely on libssl.
$ lsof | grep libssl | awk '{print $1}' | sort | uniq
After the update of OpenSSL, every one of those services needs to be restarted.
Consider re-issuing your certificates
Since this vulnerability allowed an attacker to possibly get your private keys (without leaving a trace in your logs), you should consider replacing all your certificates. This of course comes down to money; a re-issue will cost you some $$.
If you’re not running a high-profile website over SSL, I would assume you’re probably safe. If you’re dealing with millions of dollars in transactions every day and SSL is one of the ways to protect your clients, then yes – consider issuing all new certificates and consider the current private keys as compromised.
How do you know if you’re vulnerable?
There are a few tools to help you test if you’re vulnerable. For now (April 8th, 2014), it’s safe to assume that if you’re running SSH, SSL certificates, or anything else involved with encryption, you’re vulnerable until you update your OpenSSL version.
You can use the tools below to test if you are actually vulnerable.
- Heartbleed Test: a website that allows you enter any (publicly available) URL and test for the exploit (alternative site is possible.lv/tools/hb).
- Heartbleeder: a script written in Go to test the vulnerability.
- ssltest.py: a python script to test this vulnerability. (github mirror here)