Security bugs come and go and are usually fixed by updated software, but one very serious security vulnerability has recently been discovered, leaving huge amounts of private keys and other secrets exposed to the Internet.
CVE-2014-0160, also known as Heartbleed, has been discovered in OpenSSL by a team of security engineers from Codenomicon and Google security researcher Neel Mehta. The vulnerability could give attackers access to a site’s secure data and the encryption keys protecting that data.
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software,” according to a website set up to educate people on the bug. “This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users, and the actual content.”
The bug has been dubbed Heartbleed because of how it affects OpenSSL’s implementation of the transport layer security protocol’s heartbeat extension (RFC 6520).
“When it is exploited, it leads to the leak of memory contents from the server to the client and from the client to the server,” according to the website.
While the bug only affects OpenSSL’s 1.0.1 and 1.0.2 beta release, OpenSSL is a part of everyone’s life in one way or another. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are at the core of Internet security, making the Heartbleed bug very dangerous.
“OpenSSL is the most popular open-source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet,” said the Heartbleed site. “Your popular social site, your company’s site, commerce site, hobby site, site you install software from, or even sites run by your government might be using vulnerable OpenSSL.”
Software to fix the bug has already been released, but it may be too late. The vulnerable versions have been out for more than two years, and it is unknown whether the security researchers were the first to uncover the problem.
According to the researchers, exploitation of the bug doesn’t leave any traces of anything abnormal in logs.
“We have tested some of our own services from [an] attacker’s perspective,” researchers wrote on the Heartbleed site. “We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials, we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, e-mails, and business-critical documents and communication.”
The researchers suggested deploying TLS/DTLS honeypots in order to entrap attackers and alert about exploitation attempts.
“Although this is painful for the security community, we can rest assured that [the] infrastructure of the cyber criminals and their secrets have been exposed as well,” the researchers wrote.