Prevent Heartbleed

    The heartbleed vulnerability allows attackers to steal the private key of a server certificate. If the server is vulnerable to heartbleed, this means that an attacker can retrieve the private key and impersonate the server.

    Security Assessment

    Security_Assessment_PreventHeartbleed

    CVSS Vector: AV:N/AC:L/AU:N/C:P/I:N/A:N

    Vulnerability Information

    The heartbleed vulnerability allows attackers to steal the private key of a server certificate. If the server is vulnerable to heartbleed, this means that an attacker can retrieve the private key and impersonate the server. Therefore secure connections to the webserver are not possible anymore. The heartbleed vulnerability was one of the most critical vulnerabilities in the last years. According to security researcher Bruce Schneier: '"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.'

    Guides

    Follow this guide to prevent the heartbleed attack:

    OpenSSL

    Update OpenSSLto the latest version. The following versions are known to have fixed the heartbleed vulnerability:

    • OpenSSL 1.0.1g
    • OpenSSL 1.0.0 (not affected)
    • OpenSSL 0.9.8 (not affected)

    E.g. run:

    apt-get update; apt-get upgrade # Debian / Ubuntu
    yum update                      # RHeL / CentOS
    pacman -Syu                     # Arch Linux

    For more information about Crashtest Security visit crashtest-security.com

    Crashtest Security GmbH Wiki