Heartbleed: Serious OpenSSL zero day vulnerability revealed

Heartbleed: Serious OpenSSL zero day vulnerability revealed

Summary: A new OpenSSL vulnerability has shown up and some companies are annoyed that the bug was revealed before patches could be delivered for it. Updated April 8.

SHARE:

New security holes are always showing up. The latest one, the so-called Heartbleed Bug in the OpenSSL cryptographic library, is an especially bad one.

heartbleed
Heartbleed OpenSSL zero-day vulnerability.

While Heartbleed only affects OpenSSL's 1.0.1 and the 1.0.2-beta release, 1.01 is already broadly deployed. Since Secure-Socket Layer (SSL) and Transport Layer Security (TLS) are at the heart of Internet security, this security hole is serious.

The flaw can potentially be used to reveal not just the contents of a secured-message, such as a credit-card transaction over HTTPS, but the primary and secondary SSL keys themselves. This data could then, in theory, be used as a skeleton keys to bypass secure servers without leaving a trace that a site had been hacked.

This bug not a problem with OpenSSL's inherent design. It's an implementation problem. That is to say it the result of a programming mistake. There is already a fix available for the problem for the 1.01 program in OpenSSL 1.0.1g. Work is proceeding rapidly for a pair of the 1.02-beta line.

That's bad enough. but what really has some operating system and security companies ticked is that OpenSSL and others were hard at work at delivering the patched versions that would have limited the problem's possible use by blackhat hackers, CloudFlare, a Web security company, revealed in a blog posting details about the security hole and that they've fixed the bug. They appear to have used the methods described by OpenSSL. Unfortunately, for everyone else, these methods were not ready for broad deployment.

According to one senior security developer at a major operating system company, "The main problem with what CloudFlare did was that they jumped the gun before the FIRST AVAILABLE patches were available to users. You don't open the door and wave a red flag before the patches are ready to go."

John Graham-Cumming. a CloudFlare programmer, insisted that this misrepresented CloudFlare's 
impact on the news of the Heartbleed security hole since the OpenSSL annoucement had been posted to Hacker News earlier.

At this time, I am informed by sources that Red Hat, Debian, SuSE, Canonical, and Oracle, to name a few, are working at a feverish pace to get the patched versions of OpenSSL out to their clients. It's expected that it may take approximately 12-hours to deliver the patches. When do they become available anyone using OpenSSL 1.01 or 1.02 must deploy the patched version as fast as possible.

Related Stories:

Topics: Security, Networking, Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

38 comments
Log in or register to join the discussion
  • Wow

    That sucks.
    schultzycom
    • Time to end the "Open = more secure" myth

      ... and every other "Open = safe, better, quality" nonsense as well
      LBiege
      • you never know...

        you never know , closed source could have similar issues we just don't know.
        docesam
      • Open is safer. How do you think they found the flaw?

        LBiege, You are slinging Bullshit. It is precisely because Cloudfare had full access to the source code that they were able to discover the flaw and fix it. Researchers found this flaw not hackers. And because of that all the major vendors have patched it. This is not really the big story that the MSM is trying to make it into.
        nathan@...
        • And how do you know that the hackers weren't first

          Just asking, how do you know?
          Cynical99
      • And you trust MS based on.......

        Your ignorance is there for all to see.
        dettol
      • quite the opposite

        i think that it is the other way around thanks to the fact that is open the bug was found and the users were informed from the bug if it were not probably we would have never known about it and we would be exposed without ever knowing
        miguel5862
  • So now Microsoft's "responsible disclosure" is de rigueur in the OSS world?

    This used to be controversial.
    larry@...
    • I don't recall seeing that in the article

      And I do recall "responsible disclosure" emerging as a compromise between MS original position that bugs should not be disclosed until they're fixed (today advocated by nobody I'm aware of), and what MS termed "information anarchy".
      John L. Ries
      • Now I see it

        He didn't say which vendors were annoyed, though.
        John L. Ries
  • Say Whaaat?

    2+ yrs., untraceable, and the hackers don't know about it? That's THEIR JOB, their LIFE MISSION - chaos, anarchy, theft, arrogance, and fun!! Something is wrong with this picture. I don't know what it is, but something smells rotten in Denmark here, and it ain't the cheese.
    juandegringo
    • Yea, “Say Whaaat”

      What are you trying to comment on?
      daikon
  • CloudFlare

    1. Good job on giving CloudFlare free publicity for being a bad actor - you spelled their name right and even linked to them.
    2. A note on your *really* shoddy research. A company that employs 10+ "systems reliability engineers" and zero security analysts is not a web security company. They're a CDN (content delivery network).
    mcosby
    • You do have more than a claim correct?

      "2. A note on your *really* shoddy research. A company that employs 10+ "systems reliability engineers" and zero security analysts is not a web security company. They're a CDN (content delivery network)."

      http://www.cloudflare.com/people
      daikon
    • Correct

      Absolutely right. They charge their customer for "security" features which are virtually non-existent.
      And yes, while they have no security engineers on their stuff, their marketing team is evolving. They are now looking for a PR manager :)
      Snake oil technology requires no expertise - not as long as you have a few good salesmen.
      HShell
      • And as a CDN they...

        And my experience with them as a CDN was awful. I couldn't wait to get off their system. My hosting company offered it as a 'speedup' as well as a security enhancer. It was SLOWER than my OK-ish host.
        ks2problema
  • Heartbeat Detector

    I made a tool to check the status of your SSL and see if heartbeat is enabled. If it is, you should run this command: openssl version -a

    Ensure your version is NOT 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1, 1.0.2-beta1

    Tool at: http://rehmann.co/projects/heartbeat/
    lrehmann
    • The tool has already been written

      SYNOPSIS
      openssl version [-a] [-v] [-b] [-o] [-f] [-p]

      http://www.openssl.org/docs/apps/version.html
      daikon
    • Not quite.

      "Ensure your version is NOT 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1, 1.0.2-beta1"

      Unless you run redhat or derivatives, in which case it'll report as 0.9.8, etc etc.
      Uncle Stoat
  • Red Hat patch

    Important: openssl security update

    Bug 1084875 - (CVE-2014-0160) CVE-2014-0160 openssl: information disclosure in handling of TLS heartbeat extension packets

    This issue has been addressed in following products: Red Hat Enterprise Linux 6
    Via RHSA-2014:0376

    https://rhn.redhat.com/errata/RHSA-2014-0376.html
    daikon