A new security bug has been found affecting the majority of secure websites built on linux in the last two years. A serious security flaw ( TLS Heartbeat Extension) has been found in Openssl on April 7 2014 which is responsible for securing over 66% of the websites on the internet including gmail, twitter, dropbox (the companies aforementioned are currently updating all their systems to remove the vulnerability) The vulnerability allows secure information to be stolen from websites with this vulnerability. SSL/TLS is used in all https:// based websites and is used on applications for security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). Attackers can steal secret keys, user names and passwords, instant messages, emails and business’ critical documents and communication – all of this without leaving a trace.
This makes the flaw (which has already received an alias ‘Heartbleed bug’) absolutely critical, so countermeasures should be taken promptly. Systems such as openvpn, any opensource platforms, website control panels are most likely vulnerable if you have not patched your systems in the last 24 hours. As of today, a number of Nix*-like operating systems are affected too, since they are packaged with vulnerable OpenSSL:
- Debian Wheezy (Stable), OpenSSL 1.0.1e-2+deb7u4)
- Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11)
- CentOS 6.5, OpenSSL 1.0.1e-15)
- Fedora 18, OpenSSL 1.0.1e-4
- OpenBSD 5.3 (OpenSSL 1.0.1c) и 5.4 (OpenSSL 1.0.1c)
- FreeBSD 8.4 (OpenSSL 1.0.1e) и 9.1 (OpenSSL 1.0.1c)
- NetBSD 5.0.2 (OpenSSL 1.0.1e)
- OpenSUSE 12.2 (OpenSSL 1.0.1c)
Packages with older OpenSSL versions – Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14, SUSE Linux Enterprise Server – are free of this flaw. Amongst the possibly affected parties are operating system vendors and distribution, appliance vendors, along with independent software vendors. They are strongly encouraged to adopt the fix – OpenSSL 1.0.1g – ASAP and notify their users about possible password leaks. New secret keys and certificates must be generated as well.
Managed IT services have already patched their own infrastructure and client systems infrastructure. If you require further information on how to resolve this issue please feel free to contact us via:
Telephone: +44 (0) 203-137 -2459 (extension 2) OR