'Heartbleed' OpenSSL Flaw May Lead to Leaked Passwords, Encryption Keys
The vulnerability in the widely used OpenSSL library used to secure Web transmissions allows attackers to scrape memory from servers, grabbing sensitive information.A widespread vulnerability in OpenSSL, the software library used to secure communications on the Web, has undermined the security on hundreds of thousands of Web servers and services and has left online companies scrambling to close the security hole. The vulnerability—officially dubbed the "TLS Heartbeat Read Overrun" issue and unofficially named "Heartbleed" by the firm that found it—allows attackers to scrape the memory of Web servers, grabbing up to 64 kilobytes of the last data communicated. While the issue only affects Linux servers, those computers are the most commonly used for Web servers and services on the Internet. The vulnerability puts users' passwords at risk, but also could reveal the private keys used in the encryption that secures the Secure HTTP, or HTTPS, protocol. "The leaked memory areas might contain a lot of different content ranging from leftover data from previous communication over log messages up to private key material employed by the service/daemon," Mark Schloesser, security researcher for Rapid7, a vulnerability management firm, said in a statement sent to eWEEK. "For this reason, there are lots of possible attack scenarios that can result from the vulnerability."
The attack affects a limited number of OpenSSL releases—those published by the project in the last two years—but the vulnerable code is already fairly widespread. The issue was introduced into the codebase in December 2011 and released to the public in March 2012. The company that discovered the vulnerability, security firm Codenomicon, estimated that two-thirds of Web servers could be vulnerable to the theft of information. On April 9, however, Web analytics firm Netcraft used data collected on the usage of the vulnerable software to estimate that a lower fraction, 17.5 percent, was actually at risk. Yet, among those affected are the largest Web services, those that take security seriously.