OpenSSL released a security advisory yesterday (7/Apr/2014) regarding the TLS heartbeat read overrun (CVE-2014-0160). [1] This is a CRITICAL vulnerability affecting 1.0.1 and 1.0.2-beta releases of OpenSSL, including 1.0.1f and 1.0.2-beta1.
An attacker can read memory contents of the remote server . The server will not crash or otherwise exhibit suspicious behaviour. Successful exploitation leaks usernames, passwords, web application session cookies or other sensitive information.
Currently, some of the vulnerable websites are:
yahoo.com
okcupid.com
flickr.com
The quickest way to test your server is by using the following link:
http://filippo.io/Heartbleed/
Remediation:
Affected users should upgrade to OpenSSL 1.0.1g. The alternaltive at this point if you cannot upgrade to OpenSSL 1.0.0g is to recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS
For remediating against an Apache install you will also need to upgrade libssl (libssl1.0.0).
Note that Ubuntu 1.0.1-4ubuntu5.12 of OpenSSL resolves the issue.
Temporary Snort signatures:
a) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack with ssltest.py";flow:to_server,established; content:"|18 03 02 00 03 01 40 00|"; rawbytes; isdataat:!1,relative; reference:cve,2014-0160; sid: 6000000; rev:1;)
b) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack";flow:to_server,established; content:"|18 03|"; rawbytes; depth:2; byte_test:1, &, 3, 0, relative; byte_test:2, >, 200, 3, relative, big; reference:cve,2014-0160; sid: 6000001; rev:2;)
[1] http://www.openssl.org/news/secadv_20140407.txt
An attacker can read memory contents of the remote server . The server will not crash or otherwise exhibit suspicious behaviour. Successful exploitation leaks usernames, passwords, web application session cookies or other sensitive information.
Currently, some of the vulnerable websites are:
yahoo.com
okcupid.com
flickr.com
The quickest way to test your server is by using the following link:
http://filippo.io/Heartbleed/
Remediation:
Affected users should upgrade to OpenSSL 1.0.1g. The alternaltive at this point if you cannot upgrade to OpenSSL 1.0.0g is to recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS
For remediating against an Apache install you will also need to upgrade libssl (libssl1.0.0).
Note that Ubuntu 1.0.1-4ubuntu5.12 of OpenSSL resolves the issue.
Temporary Snort signatures:
a) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack with ssltest.py";flow:to_server,established; content:"|18 03 02 00 03 01 40 00|"; rawbytes; isdataat:!1,relative; reference:cve,2014-0160; sid: 6000000; rev:1;)
b) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack";flow:to_server,established; content:"|18 03|"; rawbytes; depth:2; byte_test:1, &, 3, 0, relative; byte_test:2, >, 200, 3, relative, big; reference:cve,2014-0160; sid: 6000001; rev:2;)
[1] http://www.openssl.org/news/secadv_20140407.txt