The Heartbleed Bug

Please read http://heartbleed.com/ for a full report on this bug.

This unique bug has certainly thrown a spanner into the works with how this bug has effected our digital security.  In a traditional sense, you can often upgrade or update a piece of software and then you are not affected anymore.  However this particular bug can lead to exposing our communication as a result of something we relied on in the past.  That very same key today used to encrypt your communications may have been created using a vulnerable version of openSSL.  If that is the case you need to be aware of this and take action, otherwise your underlying dependency on SSL will be flawed.  According to heartbleed.com

What versions of the OpenSSL are affected?

Status of different versions:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

This has been used since December 2011.  Since then all servers and applications who use it have been open to the attack.  The result of the attack is the attacker will gain access to your private keys as a result of a memory leak caused by some attack vector.

To show you this, I’ve demonstrated the target openSSL.org as this has been discovered on Twitter in the past few hours.  Doing a lookup on the domain we get this IP in the UK.

Screen Shot 2014-04-09 at 09.05.00

We can then use MassScan which can quickly pull down the SSL banner headers and check the version.

Screen Shot 2014-04-09 at 09.04.15

As you can see this site is still open to the Heartbleed bug.

Our PartFire server was also carried the the Heartbleed bug.  Our version is using the command

openssl version -a

Screen Shot 2014-04-09 at 09.28.07

Its build date

openssl version -b

Screen Shot 2014-04-09 at 09.29.31

To fix this, there are 2 parts.  First we need to fix the openSSL vulnerability.  The second part is the generation of new keys.  As the keys you’ve generated using this version of openSSL have been prone to undetectable attack, you need to create new keys and revoke your old ones to ensure what you are sending using the latest openSSL, is still protected.

On Ubuntu running

apt-get update
apt-get upgrade openssl

You should be able to run

openssl version -b

And the version should be on or after

Screen Shot 2014-04-09 at 09.34.41

Having a build data on or after Monday 7th April 2014 should not have the heartbleed bug.  The next step is to now revoke and re-create your keys.  The scope of this can be huge depending on your setup, however most people will need to regenerate their web SSL certificates, using the openSSL command

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt