Emergency SSL/TLS Patching Under Way

  /     /     /  
Publicated : 22/11/2024   Category : security


Emergency SSL/TLS Patching Under Way


A Heartbleed flaw revealed in the OpenSSL library leaks the contents of memory, including passwords, source code, and keys.



The race is on to fix SSL-based websites and software in the wake of a newly revealed and dangerous flaw in the popular OpenSSL library for encrypting HTTP traffic, with nearly one-third of major websites potentially at risk.
OpenSSL released
a patch
yesterday for a read-overrun bug in its implementation of the Transport Layer Security protocols heartbeat extension, an extension to the protocol that checks on the site to which it is connecting to ensure its connected and can respond. If exploited, the bug leaks the contents of the memory from the server to the client and vice versa, potentially exposing passwords and other sensitive data and, most alarmingly, the SSL servers private key. OpenSSL Versions 1.0.1 and 1.0.2 beta are affected by the vulnerability, which was
discovered by security researchers
at Google and Codenomicon.
This is very significant because the hack allows you to extract up to 64 kilobits of server memory at a time. So you submit some malformed request to the server, get 64 kbit/s of server memory and whatever is in that chunk of memory, Ivan Ristic, who heads up the SSL Labs at Qualys, told us. By nature of things, it handles sensitive information, including the private key of the server. If you get that, you can impersonate the server.
SSL, which encrypts communications sessions on the web via websites, virtual private network, email, and instant messaging sessions, has become the battle cry of the privacy world in the wake of Edward Snowdens leaks of documents revealing controversial NSA surveillance programs. But most websites today do not use SSL -- or HTTP-S. Retailers, social networks, and other sites that handle sensitive user or financial information typically use SSL.
The SSL vulnerability may be the harbinger of things to come, now that Internet encryption is getting more attention and adoption, as researchers take a closer look at implementations. Its clearly still better to have SSL... but the majority of the world does not, Ristic said. Its still much easier to attack sites not running SSL. Its going to get worse before it gets better. These things are coming out because we are paying more attention to encryption, and now these things are coming to light.
Patching has been under way for many major operators and server vendors, including Debian, CentOS, RedHat, SUSE Linux, and Ubuntu, while others have been slower to update: as of this posting, Yahoo had not yet been updated for the flaw. Many major websites have not been patched yet. Its difficult to do if you are running multiple devices that need to be patched for it -- you have to wait, Ristic said. Someone with a large infrastructure may take some time to update. This is emergency patching all around the Internet.
To thwart attacks, experts say, organizations must either upgrade to the new OpenSSL 1.0.1g or recompile the library to disable the heartbeat function. The flaw is about two years old, and because any attack would be silent and undetected, experts recommend that organizations obtain new digital certificates.
You may want to consider replacing SSL certificates if you are afraid that the exploit was already used against your site, Johannes Ullrich wrote in
todays SANS Internet Storm Center Diary
. But the exploit is not limited to secret SSL key. All data in memory is potentially at risk.
The bugs exposure of the private SSL key is especially alarming to security experts. Meanwhile, multiple proof-of-concept tools are circulating online today and making it easy for attackers to exploit the Heartbleed bug.
If they get the key, anyone who can intercept your communications can pretend to be the other end of the connection. So if you are connecting to your bank, do you want anyone reaching in and changing the dialog between you and the bank? So instead of asking for your balance, it transfers all of your money to hackers.us.com, for instance, said Andrew Ginter, industrial cybersecurity expert at Waterfall Security. How realistic is it that anyone will intercept that communication? Its not that hard.
Jaime Blasco, director of AlienVault Labs, told us the flaw can be abused to steal, not only usernames and passwords, but also some elements of the applications source code. The attack can be also combined with a man-in-the-middle attack to obtain credentials from the client before the server perform authentication.
Providers affected by the bug should not only patch but also replace their private keys and certificates for each of the services using the OpenSSL library, Blasco said.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Emergency SSL/TLS Patching Under Way