0

Heartbleed vulnerability discovered in OpenSSL cryptographic library

Researchers have discovered a vulnerability in the highly popular OpenSSL library that could leave online services vulnerable to data breaches. The vulnerability, named ‘heartbleed’, exposes services utilising the OpenSSL cryptographic library to attacks that could leak the keys needed to decrypt data.

OpenSSL have this week confirmed that all versions of software dating back to 2011 are susceptible to the heartbleed vulnerability. The heartbleed vulnerability can be exploited to allow the attack access to system memory remotely. This could be catastrophic for any Internet service as attackers can gain access to keys utilised to encrypt data, enabling the attack read only access to all data transmitted across the service.

heartbleed vulnerability

The heartbleed vulnerability will affect thousands of web servers across the globe and could allow attackers rad only access to customer data

The heartbleed vulnerability will affect thousands of services as OpenSSL is the standard library used for SSL and TLS encryption across the globe. For example, Apache and nginx, used for over 60 percent of all web servers, utilises OpenSSL and will no doubt be the focus of interest for all those attacking websites. More alarmingly, however, OpenSSL is often used to protect credit card data during transaction services and is popular amongst virtual private network (VPN) services and messaging services. Simply put, the heartbleed vulnerability will be common across most web services across the globe in some way or another.

The heartbleed vulnerability exploits the heartbeat extension part of the Transport Security Layer (TLS) protocol and alarmingly leaves no trace of exploitation on the system. Once exploited, the attacker is able to read system memory directly in 64KB segments and reconstruct the data to gain access to usernames, passwords, personal information, encryption keys and potentially sensitive data such as credit card information.

The heartbleed vulnerability, discovered by security researchers this week and confirmed by the OpenSSL project, is exploitable in all versions of OpenSSL since 2011. OpenSSL, which comes as default with operating systems such as Ubuntu, have released a more recent version addressing vulnerabilities (titled OpenSSL 1.0.1g),  however, this will take some time to distribute and adopt based on the high numbers of use across the globe.

You can read more about the bug at http://heartbleed.com.

Filed in: News Tags: , , , , ,

Get Updates

Share This Post

Related Posts

Leave a Reply

Submit Comment

© 2017 Cyber Security News. All rights reserved.