A Major Security Vulnerability Called ‘HeartBleed’

A major security vulnerability called ‘HeartBleed’ has recently been identified by researchers at security firm Codenomicon and Google Security's Neel Mehta. HeartBleed is a security flaw in an application known as OpenSSL which provides encryption means to more than two thirds of all internet applications via SSL connections. The problem is within the Heartbeat Extension packets, which are used for keep-alive functionality of the SSL tunnel, and when exploited allows for a remote attacker to eavesdrop on a communication, steal service and/or user credentials and possibly to obtain encryption keys.
 
HeartBleed is officially referenced as CVE-2014-0160 in the National Vulnerability Database was first identified about two years ago and only effects version 1.0.1 of OpenSSL, prior to 1.0.1g. In the vulnerable versions of OpenSSL the TLS and DTLS implementations improperly handle Heartbeat Extension packets, and can be exploited by transmitting a malformed packet and triggering a buffer over-read. When exploited the system discloses a 64K chunk of data from memory to the attacker. This attack can be execute repeatedly without detection as the exploit leaves no traces behind. Repeated enough times and an attacker is able to recreate the victim’s memory and extract critical data.
 
Exposure to the HeartBleed bug should be taken seriously and remediated immediately by applying all necessary fixes, patches, and updates. In addition, check with all vendors to see if their products are impacted and for their recommendations for steps to patch or fix. Once the system has been patched and OpenSSL updated, all encryption keys must be revoked and reissued, and all session keys and session cookies invalidated. Taking this a step further, forward secrecy is recommended in order to segregate the new keys. Key segregation is used to ensure the compromise of a key cannot be used to decrypt previous messages as a new random key is generated every time public data is transmitted.