OpenSSL Security Bug That Must Be Patched Quickly

opensslThe OpenSSL Project is a volunteer driven collaborative project to develop a ” a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library managed by a worldwide community”. The Project announced that a very serious security issue that could lead to the exposure of cryptographic keys and private communications from some of the most important sites and services on the internet.  Anyone running a server with OpenSSL 1.0.1 through 1.0.1f needs to update this immediately to OpenSSL 1.0.1g. If you are using a version prior to 1.0.1 you are not affected by this but if you are currently using OpenSSL 1.0.2 Beta you will need to address this.


This bug was discovered by both a Google security engineer as well as by Codenomicon, a private security firm. You will recall the recent SSL bug associated with Apple and it should be noted that this is even more dangerous and could have greater impacts.  This is because the SSL bug opens up the possibility for “man in the middle” attacks and reveals encryption keys which could then lead to additional security breaches. The risk here can not be emphasized enough as this could affect as much as 66% of the internet.


A detailed explanation of the issue can be found at, This is related to the “heartbeat” section of OpenSSL’s transport layer protocols (TSL). A huge security risk has been identified that is related to the “heartbeat” section of OpenSSL’s transport layer protocols (TSL).  This is especially critical as it not only opens up the possible  breach and leaking of; 1) primary key material, 2) secondary key material and 3) protected content and 4) collateral. As per,


“What is leaked primary key material and how to recover?


These are the crown jewels, the encryption keys themselves. Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption. All this has to be done by the owners of the services.


What is leaked secondary key material and how to recover?


These are for example the user credentials (user names and passwords) used in the vulnerable services. Recovery from this leaks requires owners of the service first to restore trust to the service according to steps described above. After this users can start changing their passwords and possible encryption keys according to the instructions from the owners of the services that have been compromised. All session keys and session cookies should be invalided and considered compromised.


What is leaked protected content and how to recover?


This is the actual content handled by the vulnerable services. It may be personal or financial details, private communication such as emails or instant messages, documents or anything seen worth protecting by encryption. Only owners of the services will be able to estimate the likelihood what has been leaked and they should notify their users accordingly. Most important thing is to restore trust to the primary and secondary key material as described above. Only this enables safe use of the compromised services in the future.


What is leaked collateral and how to recover?


Leaked collateral are other details that have been exposed to the attacker in the leaked memory content. These may contain technical details such as memory addresses and security measures such as canaries used to protect against overflow attacks. These have only contemporary value and will lose their value to the attacker when OpenSSL has been upgraded to a fixed version.”


If you are running the affected OpenSSL it is imperative that you take the appropriate actions now.