Threat Advisory Bulletin: Heartbleed
What you need to know, help available
On April 7, 2014, researchers exposed the Heartbleed bug (CVE-2014-0160). The Heartbleed bug is a vulnerability in the widely used OpenSSL software library, which implements basic cryptography and other functions. OpenSSL is the standard library used for SSL/TLS implementation and is utilized by most major web servers.
Heartbleed: How it works
Vulnerable versions of OpenSSL shipped with a wide variety of applications and operating systems. Hardware applications, such as SSL-based VPNs, are also affected. The bug allows an attacker to access up to 64 kilobytes of unallocated memory from a server by exploiting a flaw in the implementation of the SSL/TLS heartbeat extension. Although the attacker will have access to any data formerly held in that unallocated memory chunk, they cannot determine which section of memory they receive. Therefore, the information received may be either useless or very sensitive, simply based on chance.
Examples of the information stored in memory include primary and secondary keys used to encrypt and decrypt private data. Additionally, attackers may receive usernames, passwords, private documents, financial information, and private communications, such as emails or instant messages. This exploit operates solely by accessing memory present on the server. It is not a remote code exploit or Denial of Service attack.
OpenSSL versions 1.0.1 through 1.0.2-beta are compromised. This includes version 1.0.1f which was the most recent version in production until April 7, 2014. The earliest version affected, 1.0.1-beta1, was created on February 22, 2012. This indicates the bug was unpatched and exploitable for over two years. The earlier 0.9.8 and 1.0.0 branches of OpenSSL were unaffected.