A serious vulnerability named the Heartbleed bug was announced Monday night (04/07/2014) in OpenSSL* (version 1.01 and OpenSSL beta 1.0.2); the popular open source cryptographic library. If you are using Nginx or Apache there is a high probability that you are running OpenSSL. The Heartbleed vulnerability is something OpenSSL users should take very seriously as it enables an adversary to obtain data from portions of the web server memory.
This data can include sensitive material such as the server's private key, but is not limited to that, any data that is in memory on the server is at risk including sensitive customer data as well. This is not limited to web servers, if you use a SSL based VPN that leverages OpenSSL you may also be at risk. Access to this type of sensitive data creates a serious vulnerability because attackers can use it to decrypt past communications (when Perfect Forward Security (PFS) is not configured), steal critical data and in the case of a private key compromise, enable the attacker to impersonate the associated server.
Resolution and Recommendations
We strongly recommend anyone using OpenSSL to:
- Verify what version of OpenSSL they are using and upgrade their systems to the appropriate fix from OpenSSL.
- Request a reissue (with new private key) for SSL Certificates that were installed on affected servers, install the new certificate, then request revocation of the old certificate.
Donnerstag, April 10, 2014