Prevent Heartbleed

The heartbleed vulnerability allows attackers to steal the private key of a server certificate. If the server is vulnerable to heartbleed, this means that an attacker can retrieve the private key and impersonate the server.

Security Assessment

Security_Assessment_PreventHeartbleed

CVSS Vector: AV:N/AC:L/AU:N/C:P/I:N/A:N

Vulnerability Information

The heartbleed vulnerability allows attackers to steal the private key of a server certificate. If the server is vulnerable to heartbleed, this means that an attacker can retrieve the private key and impersonate the server. Therefore secure connections to the webserver are not possible anymore. The heartbleed vulnerability was one of the most critical vulnerabilities in the last years. According to security researcher Bruce Schneier: '"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.'

Guides

Follow this guide to prevent the heartbleed attack:

OpenSSL

Update OpenSSLto the latest version. The following versions are known to have fixed the heartbleed vulnerability:

  • OpenSSL 1.0.1g
  • OpenSSL 1.0.0 (not affected)
  • OpenSSL 0.9.8 (not affected)

E.g. run:

heartbleed

https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/update

For more information about Crashtest Security visit crashtest-security.com