In IT circles, the phrase ‘bleeding heart’ may never mean what it used to as news of this extremely serious Heartbleed vulnerability is traveling fast. The vulnerability was recently found in Open SSL, the most popular library used to secure the internet in widely used distributions. OpenSSL is an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols by which much of web security is implemented. The bug allows for anyone on the internet to read the memory of the systems running the affected versions of OpenSSL. With this ability, the secret keys utilized by SSL/TLS encryption can be stolen. That means massive compromises could be in store for virtual private networks (VPNs), email, web pages, instant messaging (IM), and passwords. Given the gravity of the vulnerability, reports that bitcoin services had been affected are but one of the potential targets that are likely to emerge as having been affected by this massive bug. This has potential impact for all web services from throughout the web.
The versions of OpenSSL that are affected, version 1.0.1 and 1.02-beta release have been widely deployed for some time. The bug has been described as a program error, and a fix has been published for the 1.01 program in OpenSSL 1.01g. The bug was found in the heartbeat extension (RFC6520) of the Transport Layer Security/Datagram Transport Layer Security (TLS/DTLS) within the implementation on the affected OpenSSL versions. It is a straight, pure bug that unfortunately strikes at the ‘heart’ of web security, affecting that hearbeat extension, thus earning its name. According to security reports, research has produced some significant leaks. In testing, attacks were able to be executed without leaving a trace. The tests were also able to steal X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication – all without any privileged information or any credentials.
What leaks in practice?
We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication. – Codenomicon
Most webservers on the internet are based on nginx or apache technology, and by the counts reported by Netcraft’s Web Server reports, as much as 2/3 of active websites on the internet run on one or the other. OpenSSL is tied heavily to these two webserver platforms, so the impact is likely to be significant. Recovery from this state of vulnerability may take some time to play out as deployments of the updated libraries will have departments working rapidly through their contingency response procedures. That still leaves the task of revoking any keys that were compromised and reissuing new ones throughout their environments. Then the monitoring can begin, because it is unknown how long information may have been exploited before and information can still be decrypted. Given the scope of the flaw, we are likely looking at an extended security response in any industry that may have been targeted.