1. Who is affected?Basically the error affects any service using OpenSSL versions 1.0.1 through 1.0.1f or OpenSSL 1.0.2-beta. These are mainly web servers, but also servers used for services such as email, VPN, Plesk or Admin Panel. It is now clear that the following distributions have been affected:
- RHEL6 / CentOS6 (The vulnerability has been closed with the latest OpenSSL 1.0.1e-16 update)
- Debian 7
- FreeBSD 10
2. What is the vulnerability?The fault lies in the so-called "Heartbeat" function of OpenSSL - hence the name "Heartbleed" bug. Heartbeat is a communication function that exchanges status information between two partners. Primarily to determine whether the other side is still active. A flaw in the handling of memory access can allow an attacker to read up to 64KB of memory.
3. What data can be captured?The 64KB can contain any sensitive data. For example, user names, passwords, session data or encrypted emails, which can then be read in
plain text. The attack is difficult to detect on the affected systems.
4. How can the problem be solved?Any system that uses an affected version of OpenSSL requires a patch or an update. Updates are now available for the distributions mentioned above. Self compiled versions of OpenSSL with the -DOPENSSL_NO_HEARTBEATS option are not affected, sources from version 1.0.1g and later contain a fix.
Updates related to distributions can be done as follows:
- CentOS / RHEL: yum -y update openssl
- Debian apt-get update: apt-get -y install openssl libssl1.0.0
5. Do I need to replace my SSL certificates?Strictly speaking, yes. An attack vector was theoretically available before the update. Therefore, it cannot be ruled out that data has been tapped by third parties. Certificates can be replaced in SSL Manager using the "Reissue certificate" under ?Tools?. The reissues are free. Of course replacements should only be done after updating OpenSSL.
6. What can I recommend to my customers/users?Private users should also update their browsers, email clients and other applications. To be on the safe side, it is recommended to change personal passwords (of email accounts or social networks, for example). Server and site operators should also pay attention to irregularities in
their systems. The system can be checked using an online tool.