HEART BLEED BUG IN OPENSSL

1. About Heartbleed:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library
Heartbleed is not based on any complex cryptography based error, basically due to the result of
relatively mundane coding error which makes devastation in Transport Layer Security (TLS)
encryption over the OpenSSL connection. This weakness allows stealing of information protected,
under normal conditions, by the SSL/TLS encryption used to secure the Internet.

2. The Problem:
The problem in Heartbleed is basically due to small vulnerability because of missing bounds checks in
the code that handles TLS heartbeat messages. Maltreating this mechanism, an attacker can easily
exploit the private memory space from the TLS server. As the same server is used for protecting the
servers key materials, an attacker could potentially obtain the long-term server private keys, (b) TLS
session keys, (c) confidential data like passwords, (d) session ticket keys. Stealing of above
information may allow the attacker to decrypt the ongoing TLS sessions. Far the worst, an attacker
who obtains the servers main private keys can potentially decrypt the past sessions or impersonate the
server going forward. Worst of all, the exploit leaves no trace.
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the
vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the
service providers and to encrypt the traffic, the names and passwords of the users and the actual content.
This allows attackers to eavesdrop on communications, steal data directly from the services and users
and to impersonate services and users. Bug is in the OpenSSL's implementation of the TLS/DTLS.
When it is exploited it leads to the leak of memory contents from the server to the client and from the
client to the server.
OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS
heartbeat functionality. This flaw allows an attacker to retrieve private memory of an application that
uses the vulnerable OpenSSL library in chunks of 64k at a time. Note that an attacker can repeatedly
leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the
intended secrets. The sensitive information that may be retrieved using this vulnerability include:

Primary key material (secret keys)

Secondary key material (user names and passwords used by vulnerable services)

Protected content (sensitive data used by vulnerable services)

Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

3. Recent Heartbleed SSL Exploitation:

Heartbleed, the OpenSSL vulnerability discovered last week that allows the exploit of SSL heartbeats,
had many IT administrators scrambling to determine the extent to which their infrastructure and apps
were at risk.
Most stories focused on the potential impact to the Internet, with high estimates claiming more than 65
percent of web servers could be vulnerable
But more troubling, in my mind, are all the other underlying components of our communications
infrastructure that were put at risk and what this means in software-defined networking (SDN) and
network functions virtualization (NFV) environments. It has been widely reported the networking
biggies acknowledged their routers and switches were infected. From a SDN and NFV standpoint, the
implications could be great and inherently more difficult to identify.

4. Why to care about Heartbleed:

In Internet, lot of security infrastructure you rely on is dependent in some way on OpenSSL. This
includes many of the websites that store your personal information. This clears explains that most of
industries are relied on OpenSSL. According to Net-craft data: although 66% of sites use OpenSSL,
only 17% are susceptible to the Heartbleed Bug, as of April 8th, 2014. Given that this vulnerability has
existed for at least two years, an organization that has deployed servers running OpenSSL (versions
1.0.1 through 1.0.1f) during this timeframe is likely vulnerable to the Heartbleed Bug and should take
immediate steps to remediate. SSL/TLS provides communication security and privacy over the Internet
for applications such as web, email, instant messaging and some virtual private networks (VPNs).
Therefore a remedy is in need to address the heartbleed problem.

5. Remedy for the Heartbleed problem:

You can test if a given server is vulnerable using one of these tools. Once you identify the Heartbleed
problem, the first step is to patch the OpenSSL which is relatively easy. The 1.0.1g version is not
vulnerable, and Debian has a patch. You can also recompile OpenSSL with the DOPENSSL_NO_HEARTBEATS option. Since there's no way to tell whether a server has been
exploited (and exploit code is now in the wild) you need to assume that it is. With this assumption a
safe way of revoking the certificate and getting a new one makes the OpenSSL secured.