A new zero day vulnerability (CVE-2014-0160) affecting OpenSSL nicknamed ‘Heartbleed’ was introduced in December 2011 and has been fixed today in OpenSSL 1.0.1g. The vulnerable versions of OpenSSL are 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8.
Attackers who exploit the vulnerability can monitor all data passed between a service and client, or decrypt historical encrypted data if it was collected. Many modern operating systems use vulnerable versions of OpenSSL including Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2.
In addition OpenSSL is runs atop two of the most widely used Web servers, Apache and nginx, as well as email servers and chat services, VPN and other software that use the code library. Many devices that use embedded Linux including routers and other devices may also be susceptible.
Writing an exploit for this vulnerability is trivial and several proof-of-concepts are already making their rounds on the Internet. It is recommended that those running OpenSSL upgrade to version 1.0.1g as well revoke any potentially compromised keys and reissue new ones.
And be sure to join us for the webcast Heartbleed Outpatient Care: Steps for Secure Recovery on Thursday, April 17, 2014 1:00 PM EDT/10:00 AM PDT where we will be discussing the need for a robust security strategy for rapid reaction to vulnerabilities and threats.
In this webcast we will examine:
- The Heartbleed vulnerability in detail, how it occurred with examples of how it can be used against your organization
- How you can identify your business exposure and what systems are vulnerable
- How Tripwire’s solutions work together to help you close the detection, remediation and prevention gaps around Heartbleed
See also: How to Detect the Heartbleed OpenSSL Vulnerability in Your Environment
Read More Here…