The Heartbleed Bug allows attackers to steal the private key of a server certificate. If the server is vulnerable to Heartbleed, an attacker can retrieve the private key and impersonate the server.
CVSS Vector: AV:N/AC:L/AU:N/C:P/I:N/A:N
The Heartbleed bug is classified within the Common Vulnerabilities and Exposures of the Standard for Information Security Vulnerability Names maintained by MITRE as CVE-2014-0160. It's a buffer over-read - a case when a system allows data access that should be restricted.
What's the Heartbleed vulnerability in a nutshell? It allows attackers to steal the private key of a server certificate. If the server version is vulnerable to Heartbleed, cybercriminals can retrieve the private key and impersonate the server. The consequences can be pretty dire, as secure connections to the server are not possible anymore, and personal information can be easily exposed.
How The Hearbleed Bug Affects Your Web Application
The impact of the Heartbleed bug has been widespread and is thus considered critical. The consumer sites using OpenSSL display a 'lock' icon next to the address and an 's' in the web address (at the end of 'https'). It signifies that the website encrypts and protects private data.
As of April 2014, the open-source web servers Apache and Nginx, which use OpenSSL, made up two-thirds of all active sites' online market share. This gives an idea of the massive scope of the Heartbleed vulnerability. It affected digital companies and public bodies like the Canada Revenue Agency.
Since attacks leave no traces in the logs, intrusion detection and estimation of the actual exploitation attempts and successes of the Heartbleed bug are difficult. Furthermore, users can take specific protective actions since the problem was with vulnerable servers. First, however, users needed to install updates and change passwords to ensure their credentials wouldn't be stolen whenever the bug was fixed in a system.
Prevention of the Heartbleed Vulnerability
Follow this guide to prevent the Heartbleed attack:
Update OpenSSL to the latest version. The following versions are known to have fixed the Heartbleed vulnerability:
- OpenSSL 1.0.1g
- OpenSSL 1.0.0 (not affected)
- OpenSSL 0.9.8 (not affected)
apt-get update; apt-get upgrade # Debian / Ubuntu
yum update # RHeL / CentOS
pacman -Syu # Arch Linux
This step is key because if you're running vulnerable versions of OpenSSL, the risk of attacks remains.
Do you want to check the security of your web app or API? Then, you can try out Crashtest Security's Vulnerability Testing Software to spot cybersecurity vulnerabilities in no time.
For more information about Crashtest Security, visit crashtest-security.com.