OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet.
As far as security personnel are concerned the most astonishing issue faced would be Heartbleed issue in the midst of 2014. Heartbleed is nothing …But again an OpenSSL vulnerability!!!
With this bug, any user can read the memory of the system which has the vulnerable SSL versions.
Memory contents include your username, password or other sensitive data.
OpenSSL has classified these memory contents leaked to 4 categories:
-Primary key material (nothing but encryption keys)
-Secondary key material (include username and passwords)
-Protected content (can be emails, documents which are protected with encryption)
-Collateral (technical details like memory address etc.)
This issue is in openssl implementation of TLS layer for heartbeat. Thus results in memory leak between client and a server and vice versa. And hence this issue is named as “HeartBleed”.
OpenSSL 1.0.1 through 1.0.1f (inclusive) are marked as vulnerable versions.
The fixed version of openssl got released in a limited time frame as this posed a very big threat to most of the companies.Openssl 1.01g released on 7th of April 2014 fixes the heartbleed bug .
And the most funniest part about this bug is that it doesn’t leave any traces of any abnormal happening to the logs. So you can’t detect if someone has exploited this in your setup.
Remediation:
Upgrade you OpenSSL to 1.0.1g which is not vulnerable and has the fix. In addition, OpenSSL 1.0.0 branch, OpenSSL 0.9.8 branch are considered as NON-vulnerable to herableed issue.
Know more about other SSL vulnerabilities @https://www.openssl.org/news/vulnerabilities.html