The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. OpenSSL provides security and privacy for communications over the Internet, used for applications such as web transactions, email, instant messaging (IM) and some virtual private networks (VPNs). The Heartbleed Bug allows theft of the information, normally protected by encryption used to secure the Internet.
The Heartbleed Bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, makes available the names and passwords of the users, and exposes the actual content. This allows attackers to eavesdrop on communications, to steal data directly from the services and users, and to impersonate those services and users.
What leaks in practice?
Security engineers at Codenomicon, who discovered this vulnerability, tested some of their own services from an attacker’s perspective. They were able to attack from the outside, without leaving a trace. Without using any privileged information or credentials, they were able to steal the secret keys used for secured certificates; user names and passwords; instant messages and emails; and business critical documents and communications.
How to stop the leak?
As long as the vulnerable version of OpenSSL is in use, it can be abused. Fixed OpenSSL has been released, and now it has to be deployed. Operating system vendors and distributors, appliance vendors, and independent software vendors have to adopt the fix, and notify their users. Service providers and users have to install the fix, as it becomes available for their operating systems, networked appliances and software packages. Once installed, all passwords must be changed, as there is no way to know which have been compromised.
Where to find more information?
This vulnerability became public on April 7, 2014. A Q&A was published, as a follow-up to the OpenSSL advisory, and can be found here. Individual vendors of operating system distributions, affected owners of Internet services, and software package and appliance vendors may issue their own advisories.