What Is It?
OpenSSL is a very widely used software component that adds encryption – a web server will very likely use OpenSSL to allow it to encrypt communications between yourself and it. The vulnerable versions of OpenSSL come equipped with new functionality – a “heart beat” that is used to keep connections alive and open.
When this functionality is not disabled and you are using a vulnerable version of OpenSSL, an attacker can make a connection to your server and ready up to 64Kbytes of the process memory. For each and every request.
This is a classic information leakage issue, and the attacker can trawl through a collection of 64Kbyte “chunks” of binary data looking for interesting information. In theory, these chunks of information can contain anything the process (the web server, the mail server, etc) contains within itself. Some examples include :-
- A researcher has used this vulnerability to expose Yahoo Mail account passwords.
- It is believed to be possible to extract a server’s private key to allow an attacker to decrypt communications traffic and/or impersonate the server.
Whilst trawling through binary chunks of data looking for interesting data is the sort of activity that seems to normal people to be so difficult that it would be almost impossible for someone. However it is possible, and for something like passwords is even easy. And for private keys, there are hints out there on how to do it.
But How Does This Affect Me?
If you are not a server administrator, this will all seem a bit geeky and not have much meaning for you.
It is probably better to ask: What should I do about this? And the answer is to do nothing unless you are advised to do so by a trusted source. Whatever damage has taken place already and service providers will be busy fixing the vulnerability.
The only addition to that is to make sure you update your software on your computers – your laptop, phone, tablet, etc. Whilst the media is concentrating on the server side of the problem, OpenSSL is also used on client machines, and that means that your computers are vulnerable in some way – whilst no exploits are known to exist today, it is still worth being proactive in making sure you apply updates.
Because sooner or later, attackers will use this vulnerability to attack you directly rather than via servers.
But How Serious Is This?
But perhaps not as much as some of the more extreme possibilities might suggest.
There is a great deal of probability involved here. For example, was it possible that this vulnerability was known to the “bad people” before the announcement this week? The vulnerability has existed for a year or two so it is possible it was known about. But probably not widely known.
Was it exploited? Possibly, but it’s probable that it wasn’t widely exploited – the activities of “bad people” tends to leak. If it was exploited, it was quite possible that it was limited to the NSA and GCHQ.
As to over-reaction, there was a comment on a blog entry about this that claimed that his Yahoo Mail account password had been compromised three times in the last month by this method. Well, possibly but it seems far more likely that his password had been compromised via other methods – such as using a weak password. Using this method against Yahoo’s servers may reveal some account passwords, but it is likely to reveal random account passwords each time. Meaning that an attacker will find it quite hard to compromise the password for a single account more than once.
Going forwards, it is very likely that this vulnerability will be used by “bad people” – there are already indications that they may be starting to try this.
So it is important and urgent for server administrators to look at this problem and fix :-
- Update vulnerable OpenSSL versions.
- Revoke the old SSL certificates
- Issue new SSL certificates.
- If passwords are known to have been compromised, issue a notice to suggest people change their passwords.
It is also important that client machines are updated as and when fixes are released.