Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

OpenSSL ‘Heartbleed’ Bug Leaks Sensitive Data

Website owners should move quickly to patch a critical vulnerability (CVE-2014-0160) in the OpenSSL cryptographic software library.

Website owners should move quickly to patch a critical vulnerability (CVE-2014-0160) in the OpenSSL cryptographic software library.

The flaw, which was disclosed Monday, can be exploited to compromise the secret keys used to identify service providers and encrypt traffic, usernames, passwords and content. Dubbed ‘Heartbleed‘ because the bug is in the OpenSSL implementation of the TLS/DTLS heartbeat extension (RFC6520), the vulnerability was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on March 14, 2012. OpenSSL versions 1.0.1 through 1.0.1f are vulnerable, but the latest version released Monday – 1.0.1g – is not.

“Looking only at web servers, it seems that OpenSSL 0.9.8 and 1.0.0 are still the most popular versions, which are not affected,” said Mark Schloesser, security researcher for Rapid7. “However, we count at least a few hundred thousand servers using affected library versions, so it poses a significant threat. As the same problem affects other protocols/services such as mail servers and databases, we assume that, overall we’re looking at millions of vulnerable systems connected to the public Internet.”

According to an advisory from the OpenSSL Project, the issue comes down to a missing bounds check in the handling of the TLS heartbeat extension that can reveal up to 64K of memory to a connected client or server. However, the researchers that discovered the bug added that there technically is no 64K limit to the attack, as that limit applies only to a single heartbeat.

According to researchers at security vendor Codenomicon, who discovered the bug along with Neel Mehta from Google, an attacker can either keep reconnecting or keep requesting arbitrary numbers of 64 kilobyte chunks of memory content during an active TLS connection until enough secrets are revealed.  

“We have tested some of our own services from attacker’s perspective,” Codenomicon noted in an FAQ on the findings. “We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”

TLS client certificate authentication does not mitigate the issue, nor does OpenSSL’s FIPS mode, according to Codenomicon. However, using Perfect Forward Secrecy (PFS) should keep past communications from retrospective decryption.

Advertisement. Scroll to continue reading.

A proof-of-concept exploit for the vulnerability has already made its way online. According to Fox-IT, Yahoo is among the sites vulnerable to attack.

“It is possible to detect successful exploitation of this vulnerability by inspecting the network traffic,” blogged Joost Bijl of Fox-IT. “We have developed Snort signatures to detect succesful exploitation of the ‘heartbleed bug’.”

“This bug,” he added, “affects both sides of the connection. Not only will client certificates not save you from having to update your server certificate, they can be read from the client (along with your username, password etc.) by any server you connect to. DNS poisoning, MitM etc. can be used to direct clients to a malicious server – it seems that this vulnerability can be exploited before the server has to authenticate itself.”

“OpenSSL is runs atop two of the most widely used Web servers, Apache and nginx, as well as email servers and chat services, VPN and other software that use the code library,” Ken Westin, a security researcher with Tripwire, told SecurityWeek.

“Many devices that use embedded Linux including routers and other devices may also be susceptible,” Westin said. “Attackers who exploit the vulnerability can monitor all data passing between a service and client, or decrypt historical encrypted data that has been collected. Many modern operating systems use vulnerable versions of Open SSL including  Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2.”

*Additional reporting by Mike Lennon

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...