DBSA:2014-0007
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - OpenSSL "Heartbleed" Vulnerability - End Users
Keywords: SSL, TLS, Vulnerability, Data Exposure, HTTPS, OpenSSL
DBSA ID: 2014-0007
Regarding: OpenSSL "Heartbleed" Vulnerability - End Users
Writeup: Kradorex Xeron (talk) 09:41, 11 April 2014 (EDT)
Date: 2014 04 11
Last Modified: 20140411085958 by Gung-ho Gun
Who should take note: Anyone and Everyone
Classification
Priority: HIGH
Rationale: Information could have been compromised by third parties, immediate attention is required.
Severity: HIGH
Rationale: Information disclosed may be utilized and leveraged to compromise user accounts across multiple sites.
Spread of Issue: MULTI-PLATFORM HIGH
Rationale: Affects all users of secure websites given the wide deployment of OpenSSL.
Description
OpenSSL is a popular program and library set used to deploy the Secure Sockets Layer and Transport Security Layer protocols. Recently there was a vulnerability in the 1.0.1 version series server implementation of OpenSSL whereas a client could utilize the "Heartbeat" mechanism used to keep connections alive to read server memory by requesting a longer resource than was input, thus causing the server to read back the requested length of data, leading to data unrelated to that connection being disclosed. This disclosure can include anything from private encryption keys to usernames and passwords transmitted over encrypted means.
Mitigation/Solution
Users are advised to utilize the detection tool as listed in the references section to determine if the site they use is patched. If the site is patched the results will display a green bar behind the Heartbeat/Heartbleed entry. Upon receipt of that, a user may go ahead and change their passwords and/or security questions on the specific sites.
Users are further advised not to accept disclaimers as sufficient from website services unless that disclaimer explicitly states that the site utilized an unaffected library or software. If further information is needed to make this determination, please contact the website administrator. If a determination cannot be made do not accept the statement and implement changes to any passwords and/or security questions.
References
- https://www.ssllabs.com/ssltest/index.html (DETECTION TOOL)
- http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
- REDIRECT DBSA:2014-0007