The Heartbleed Bug
Please read http://heartbleed.com/ for a full report on this bug.
This unique bug has certainly thrown a spanner into the works with how this bug has effected our digital security. In a traditional sense, you can often upgrade or update a piece of software and then you are not affected anymore. However this particular bug can lead to exposing our communication as a result of something we relied on in the past. That very same key today used to encrypt your communications may have been created using a vulnerable version of openSSL. If that is the case you need to be aware of this and take action, otherwise your underlying dependency on SSL will be flawed. According to heartbleed.com
What versions of the OpenSSL are affected?
Status of different versions:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
This has been used since December 2011. Since then all servers and applications who use it have been open to the attack. The result of the attack is the attacker will gain access to your private keys as a result of a memory leak caused by some attack vector.
To show you this, I’ve demonstrated the target openSSL.org as this has been discovered on Twitter in the past few hours. Doing a lookup on the domain we get this IP in the UK.
We can then use MassScan which can quickly pull down the SSL banner headers and check the version.
As you can see this site is still open to the Heartbleed bug.
Our PartFire server was also carried the the Heartbleed bug. Our version is using the command
openssl version -a
Its build date
openssl version -b
To fix this, there are 2 parts. First we need to fix the openSSL vulnerability. The second part is the generation of new keys. As the keys you’ve generated using this version of openSSL have been prone to undetectable attack, you need to create new keys and revoke your old ones to ensure what you are sending using the latest openSSL, is still protected.
On Ubuntu running
apt-get updateapt-get upgrade openssl
You should be able to run
openssl version -b
And the version should be on or after
Having a build data on or after Monday 7th April 2014 should not have the heartbleed bug. The next step is to now revoke and re-create your keys. The scope of this can be huge depending on your setup, however most people will need to regenerate their web SSL certificates, using the openSSL command
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt