CVE-2014-0160 – Heartbleed

A vulnerability has been discovered that allows anyone over the internet to read data straight off of your server.

“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.
– Bruce Schneier

Labelled “Heartbleed” this vulnerability leaves your servers memory vulnerable and accessible to be read by anyone. A lot of private information is at risk, everything from passwords to SSL certificate keys are loaded into memory so often it is only a matter of time until a malicious user gets them.

The affected software, OpenSSL is a library that provides tools for encryption. OpenSSL is installed by default on many Linux systems as many core tools depend on it for SSL. It is widely used by servers for web, email, remote shell, VPN, file transfer and much more…

Test your website for the Heartbleed vulnerability.

The following command lists all services using libssl:

sudo lsof | grep libssl

The only fix is to upgrade OpenSSL to a non-vulnerable version and restart all services using it. Since it is used by so many services it can quickly become a large job to restart each process, especially in the correct order. The quickest way of doing this is by rebooting your server.

For more reading see the official Heartbleed website.

Our advice regarding this matter is:

  1. Ensure a fixed OpenSSL package is installed.
  2. Reboot your server (or restart all processes that use OpenSSL)

Feel free to get in touch if we can help with this.

Feature image by Alan O’Rourke under the CC 2.0 license.

1 reply

Trackbacks & Pingbacks

  1. […] many of the old SSL protocols have been disabled now due to vulnerabilities such as POODLE and Heartbleed this will be the first time a protocol has been disabled that is still being used by some old […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *