A potentially serious 0-day attack has been disclosed affecting many websites employing OpenSSL (versions 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1 and 1.0.2-beta) for their HTTPS implementations. The heartbleed vulnerability CVE-2014-0160, allows an attacker to query up to 64kB of data from the server’s volatile memory. The information could include sensitive data, encryption keys, anything that your applications have placed in memory. Disclosure of this data to an attacker may not be detectable by the victim.
This is a confirmed 0day exploit; which means a workable exploit is available before a workable patch has been released. OpenSSL has fixed the issue in release 1.0.1g which is available at OpenSSL’s website (http://www.openssl.org/source/). Version 1.0.2-beta will be fixed in 1.0.2-beta2
Please note many Linux distros have not yet included v1.0.0g to their software repositories. Parameter is recommending all of their clients to cease sensitive transactions on public sites employing SSL until it can be verified to not be affected or it has been patched. Ensure once OpenSSL is patched that your SSL certificates are regenerated.Share