On Monday, A potentially critical security vulnerability in OpenSSL has been discovered by a independent security firm Codenomicon along with the Neel Mehta a Google Security engineer, that allows an attacker to read up to 64kilobytes of memory from the server running a vulnerable OpenSSL version.
The flaw is in the popular OpenSSL cryptographic software library and its weakness allows cyber criminals to steal the information protected, under normal conditions, by the SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption used to secure the Internet.
OpenSSL is an open-source implementation of the SSL and TLS protocols. It is a cryptographic library which is used for encrypting communication between web server and users. It is being used by almost all popular organisation websites including Yahoo, Google, Twitter and even Apache web server that powers almost half of the websites over internet utilizes OpenSSL.
About The Bug - HeartBleed
The Bug was named as "Heartbleed bug" vulnerability is located in HeartBeat extension and it leads to memory leak. This Critical Bug with a code ID CVE-2014-0160 , allows the attacker to expose up to 64kB of memory from the server or a connected client computer running a vulnerable version of OpenSSL software. In other words, attacker can steal the private or encrypted important information as like username and passwords and other confidential data remotely.
How to Fix it ?
For this critical bug, researcher have fixed this vulnerability and issued a new version of the OpenSSL software (v1.0.1g). Server using OpenSSL 1.0.1 and 1.0.1f, are vulnerable to this bug and are recommend to upgrade the software to its latest version (which is just released).
Details of the Bug
As for the details and POC of the Vulnerability researcher posted it on GitHub. Additionally you all can check from this website that your server is vulnerable to this bug or not.
Post a Comment