The heartbleed vulnerability allows attackers to steal the private key of a server certificate. If the server is vulnerable to heartbleed, this means that an attacker can retrieve the private key and impersonate the server.
Security Assessment
CVSS Vector: AV:N/AC:L/AU:N/C:P/I:N/A:N
Vulnerability Information
The heartbleed vulnerability allows attackers to steal the private key of a server certificate. If the server is vulnerable to heartbleed, this means that an attacker can retrieve the private key and impersonate the server. Therefore secure connections to the webserver are not possible anymore. The heartbleed vulnerability was one of the most critical vulnerabilities in the last years. According to security researcher Bruce Schneier: '"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.'
Guides
Follow this guide to prevent the heartbleed attack:
OpenSSL
Update OpenSSLto the latest version. The following versions are known to have fixed the heartbleed vulnerability:
- OpenSSL 1.0.1g
- OpenSSL 1.0.0 (not affected)
- OpenSSL 0.9.8 (not affected)
E.g. run:
apt-get update; apt-get upgrade # Debian / Ubuntu
yum update # RHeL / CentOS
pacman -Syu # Arch Linux
For more information about Crashtest Security visit crashtest-security.com
