The InterNetX Blog provides you with news and background information on innovations concerning domains, servers, SSL and other industry-related topics.

Six questions regarding the Heartbleed bug

A software error may cause secured systems vulnerable. What do site operators and users need to consider? The most important questions at a glance.

Since Tuesday, a security flaw in the software OpenSSL has been making headlines. The so-called Heartbleed bug allows attackers to read sensitive data from server memory. The news of the vulnerability has caused a lot of insecurity. But what do site operators and Internet users need to consider now? The most important questions at a glance:

1. Who is affected?

Basically the error affects any service using OpenSSL versions 1.0.1 through 1.0.1f or OpenSSL 1.0.2-beta. These are mainly web servers, but also servers used for services such as email, VPN, Plesk or Admin Panel. It is now clear that the following distributions have been affected:
  • RHEL6 / CentOS6 (The vulnerability has been closed with the latest OpenSSL 1.0.1e-16 update)
  • Debian 7
  • FreeBSD 10
Not affected are distributions that are based on the older version OpenSSL 0.9.8. For example, users of Apple?s operating system Mac OS X Mavericks are safe from attacks because of the older OpenSSL versions, according to present knowledge.

2. What is the vulnerability?

The fault lies in the so-called "Heartbeat" function of OpenSSL - hence the name "Heartbleed" bug. Heartbeat is a communication function that exchanges status information between two partners. Primarily to determine whether the other side is still active. A flaw in the handling of memory access can allow an attacker to read up to 64KB of memory.

3. What data can be captured?

The 64KB can contain any sensitive data. For example, user names, passwords, session data or encrypted emails, which can then be read in
plain text. The attack is difficult to detect on the affected systems.

4. How can the problem be solved?

Any system that uses an affected version of OpenSSL requires a patch or an update. Updates are now available for the distributions mentioned above. Self compiled versions of OpenSSL with the -DOPENSSL_NO_HEARTBEATS option are not affected, sources from version 1.0.1g and later contain a fix.

Updates related to distributions can be done as follows:
  • CentOS / RHEL: yum -y update openssl
  • Debian apt-get update: apt-get -y install openssl libssl1.0.0
After installing the updates, it is essential for all server services to be restarted or to directly reboot the system.

5. Do I need to replace my SSL certificates?

Strictly speaking, yes. An attack vector was theoretically available before the update. Therefore, it cannot be ruled out that data has been tapped by third parties. Certificates can be replaced in SSL Manager using the "Reissue certificate" under ?Tools?. The reissues are free. Of course replacements should only be done after updating OpenSSL.

6. What can I recommend to my customers/users?

Private users should also update their browsers, email clients and other applications. To be on the safe side, it is recommended to change personal passwords (of email accounts or social networks, for example). Server and site operators should also pay attention to irregularities in
their systems. The system can be checked using an online tool.