Details on Heartbleed bug, what the enterprise can do


A critical bug has been found in the OpenSSL library, apparently introduced more than two years ago in December 2011. Discovered by researchers from Google and security group Condenomicon, the problem is particularly serious due to the severity of the bug, as well as the widespread usage of the open-source library by servers that implement SSL.

The bug occurs in OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension, lending to its name. When exploited, the programming error can result in the leakage of memory contents from the server to the client and from the client to the server.

The problem came about due to a missing bounds check in the handling of the TLS heartbeat extension, which can then be used to view 64K of memory on a connected server (or client). Specifically, this can then be exploited to repeatedly sieve through the memory of the targeted server for sensitive data such as usernames and passwords, or even to recovery the private keys used by the server.

The Fierce Take: The onus is for administrators to ensure that an up-to-date version of OpenSSL is installed in the event that it is used. Assume that the server has already been compromised, and generate new encryption keys accordingly. Once that is done, users should be encouraged to create new passwords as a precaution. Do note that some network appliances such as load balancers may use OpenSSL under the hood, so be sure to check on them too.

For more:
- check out this article at PC World
- check out this article at Ars Technica

Related Articles:
OpenSSL site defacement traced to use of insecure passwords by hosting provider
Critical bug in GnuTLS cryptographic library found