Certainly many of you likely read about the Heartbleed vulnerability that has affected much of the Internet. On Monday April 7th, security researchers reported the so-called Heartbleed bug in OpenSSL, which is a cryptographic library implementing the SSL/TLS security protocol.
What is the Heartbleed bug?
The Heartbleed Bug is vulnerability in the OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS is widely used to protect communication via websites, e-mail, instant messaging, etc.
The Heartbleed bug allows an adversary on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content, which in turn allows attackers to eavesdrop on communications and impersonate servers.
What versions of the OpenSSL are affected?
Status of different versions:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
- Does it affect SecureMetric PKI products?
SecureMetric PKI products SecureCA and TMS-RA are not affected by this vulnerability, and does not use or link with OpenSSL. In case you deploy an Apache server as front end to SecureCA and TMS-RA, you should look into this vulnerability closer. By the nature of the vulnerability make an attack difficult to detect, you can take a cautious approach as following.
Verify OpenSSL version on apache server
Update OpenSSL on all HTTPS endpoints and restart all services (If it is affected version)
- Re-issue all SSL certificates using new signing keys
- Further reading:
- Heartbleed overview: read from here!
- Heartbleed alert: read from here!
If you have other systems using OpenSSL we recommend everyone to investigate if upgrades are needed. If you have further questions, do not hesitate to contact us