OpenSSL - Heartbeat Vulnerability (aka "Heartbleed") Information

A vulnerability in OpenSSL version 1.0.1 - 1.0.1f can allow remote attackers to obtain sensitive information from memory. This bug is commonly referred to as "Heartbleed."

Background

A vulnerability in OpenSSL 1.0.1 was announced April 7th, 2014. The flaw--a problem with implementation of the TLS/DTLS heartbeat functionality--allows an attacker to retrieve the private memory of an application in chunks of 64k per heartbeat connection. Exploit code is publicly available. Any service that supports STARTLS (e.g. imap, smtp, http, pop) may also be affected.

Information that an attacker could pull from memory:
  •  secret keys
  •  user names and passwords used by vulnerable services
  •  data used by vulnerable services
  •  additional memory addresses or content that can be leveraged to bypass other security measures

How to check for vulnerable versions of OpenSSL

Versions 1.0.1 to 1.0.1f are potentially vulnerable. Version 1.0.1g if the fixed version.  Other versions of OpenSSL (1.0.0 branch, 0.9.8 branch) are not vulnerable.

A basic version check: openssl version -a

A more specific check: openssl version -a| grep -oE '1.0.1[a-g]{1}?|DOPENSSL_NO_HEARTBEATS'

This should return the version, assuming version 1.0.1x.
If the OPENSSL_NO_HEARTBEATS flag shows up then it’s not vulnerable regardless of version.

Qualys SSLLabs SSL Server Test
Note: be sure to check "Do not show results on the boards" to avoid having your server show up in the recent results.

References

CVE-2014-0160

Vulnerability Note VU#720951

http://heartbleed.com/




Keywords:openssl heartbleed heartbeat vulnerability   Doc ID:39080
Owner:Allen M.Group:Office of Campus Information Security
Created:2014-04-08 13:19 CDTUpdated:2014-04-09 11:46 CDT
Sites:DoIT Help Desk, Office of Campus Information Security
Feedback:  1   0