A widespread vulnerability in OpenSSL, the software library used to secure communications on the Web, has undermined the security on hundreds of thousands of Web servers and services and has left online companies scrambling to close the security hole.
The vulnerability—officially dubbed the “TLS Heartbeat Read Overrun” issue and unofficially named “Heartbleed” by the firm that found it—allows attackers to scrape the memory of Web servers, grabbing up to 64 kilobytes of the last data communicated. While the issue only affects Linux servers, those computers are the most commonly used for Web servers and services on the Internet.
The vulnerability puts users’ passwords at risk, but also could reveal the private keys used in the encryption that secures the Secure HTTP, or HTTPS, protocol.
“The leaked memory areas might contain a lot of different content ranging from leftover data from previous communication over log messages up to private key material employed by the service/daemon,” Mark Schloesser, security researcher for Rapid7, a vulnerability management firm, said in a statement sent to eWEEK. “For this reason, there are lots of possible attack scenarios that can result from the vulnerability.”
The attack affects a limited number of OpenSSL releases—those published by the project in the last two years—but the vulnerable code is already fairly widespread. The issue was introduced into the codebase in December 2011 and released to the public in March 2012. The company that discovered the vulnerability, security firm Codenomicon, estimated that two-thirds of Web servers could be vulnerable to the theft of information. On April 9, however, Web analytics firm Netcraft used data collected on the usage of the vulnerable software to estimate that a lower fraction, 17.5 percent, was actually at risk. Yet, among those affected are the largest Web services, those that take security seriously.
“All affected systems should be updated immediately—this is essential,” Schloesser said. “Also, to mitigate attacks resulting from any potentially leaked keying material, any SSL keys from affected systems should be replaced and revoked.”
To estimate the danger, the company that revealed the flaw attacked its own systems. The impact was eye-opening, Codenomicon stated in a blog post.
“We attacked ourselves from outside, without leaving a trace,” Codenomicon researchers stated. “Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”
While the attack is sure to reignite the debate over the security merits of closed-source software versus open-source software, such as OpenSSL, either development methodology could have had a similar flaw, David Shearer, chief operating officer of (ISC)2, said in a statement sent to eWEEK.
“The arguments over the virtues of open-source software versus proprietary software have been around for a long time,” Shearer said. “The recent OpenSSL vulnerability may justify some rethinking of the open-source development life cycle, but the widespread problem of insecure software is not an open source versus proprietary source argument.”
The TLS Heartbeat Read Overrun vulnerability has been assigned CVE-2014-0160, according to the OpenSSL Project.