System administrators, I hope you weren't planning to have an easy day today?
Not only will Microsoft be releasing critical patches later on Tuesday (including the last ever security patches for Windows XP), but there now comes the potentially disastrous news that a serious security flaw has been uncovered in versions of OpenSSL’s transport layer security (TLS) protocols.
In case you're not aware, OpenSSL is the open-source software widely used to encrypt web communications, and a security flaw like that could be used by attackers to reveal the contents of a "secure" message, such as your credit card details shared with an online store via HTTPS.
But more than that, it could also disclose the secret SSL keys themselves. These are the "crown jewels", and could be used by malicious hackers to do even more damage, without leaving a trace.
Finnish security experts Codenomicon say in an excellent write-up of the issue, that large numbers of private keys and other secret information has been left exposed for long periods of time as a result of the programming screw-up.
Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.
The advice is to update to the just-released OpenSSL 1.0.1g immediately, and regenerate your private keys.
If it's not possible to update to the latest version of OpenSSL, software developers are advised to recompile OpenSSL with the compile time option OPENSSL_NO_HEARTBEATS.
Which versions of OpenSSL are vulnerable?
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
For more guidance and further reading: