The HeartBleed Bug

Two days ago new OpenSSL Security Advisory was released title TLS heartbeat read overrun (CVE-2014-0160) OpenSSL 1.0.1 to 1.0.1f and 1.0.2beta1 are affected. Old version like 0.98 is not affected by this bug. This bug is also known as Heartbleed bug.

By Muhammad Panji | 2014.04.10

What is Heartbleed Bug

Heartbleed bug occur on OpenSSL implementation of the TLS/DTLS (Transport Layer Security Protocol) Heatbeat extension (RFC6520), when exploited it leads to leak of the memory contents from the server to the client and from client to server. The content of this memory could be your private key or any content on your memory including password or another sensitive information.

Security community says this is catastrophic bug because it is worse than not having SSL at all. People can get your SSL keys without a trace of intrusion was happened.

How-to Check for Heartbleed bug

If you have service, website, mail server etc that use SSL you should check. For website, the easiest way is using Online checker by Filippo.io. You can also use the command line version but you’ll need go to use this command line tool.

For IDS you can also use Suricata to check Heartbleed, Bro IDS, Snort (and updated ruleset)

What To Do If My Server Affected By this Bug

Update your server OpenSSL package, most operating system shipped with affected OpenSSL version already releae an update. Of course it is a good idea to update all package installed on your server but make sure the update won’t break your application
After doing update you should change your SSL Certificate. Reissue SSL certificate might be free or involve some fee, please check your SSL providers. Remember to also change your private key and not only your certificate
If you have password on the application, change it, assume that it already been breached

References :