OpenSSL Zero Day Vulnerability ‘Heartbleed’ Impacts Internet Encryption
A new zero day vulnerability (CVE-2014-0160) affecting OpenSSL nicknamed ‘Heartbleed’ was introduced in December 2011 and has been fixed today in OpenSSL 1.0.1g. The vulnerable versions of OpenSSL are 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8.
Attackers who exploit the vulnerability can monitor all data passed between a service and client, or decrypt historical encrypted data if it was collected. Many modern operating systems use vulnerable versions of OpenSSL including Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2.
In addition OpenSSL is runs atop two of the most widely used Web servers, Apache and nginx, as well as email servers and chat services, VPN and other software that use the code library. Many devices that use embedded Linux including routers and other devices may also be susceptible.
Writing an exploit for this vulnerability is trivial and several proof-of-concepts are already making their rounds on the Internet. It is recommended that those running OpenSSL upgrade to version 1.0.1g as well revoke any potentially compromised keys and reissue new ones.