20140408 - Heartbleed security weakness announcement - OpenSSL 1.0.1
Revealed yesterday, Heartbleed is a serious vulnerability of OpenSSL library.
It allows anybody to access, from the internet, information stored on an OpenSSL-equiped server and makes any private key used on a server (apache, nginx, postfix, etc.) vulnerable.
Last but not least, there is absolutely no way to know if you have been the victim of such an attack since the vulnerability allows hackers to access your information without leaving any trace.
Potential consequences
The private key linked to your SSL certificate is the base of your web tools, using SSL/TLS, security. Should this key be stolen, it could be used on a pirate website using your corporate identity.
Then webusers cannot know for sure if they are on a trusted website anymore, the certificate being a genuine one.
To put it in a nutshell : a perfect MITM (Man In The Middle) attack.
Status of OpenSSL versions
- OpenSSL versions 1.0.1 à 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
Bug appeared with OpenSSL 1.0.1 release in march 2012. The vulnerable versions have been used for over two years now and they have been rapidly adopted by modern operating systems.
OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
Operating System distributions that have shipped with potentially vulnerable OpenSSL version
This is not an exhaustive list!
- Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
- Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
- CentOS 6.5, OpenSSL 1.0.1e-15
- Fedora 18, OpenSSL 1.0.1e-4
- OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
- FreeBSD 10.0 (OpenSSL 1.0.1e 11 Feb 2013)
- NetBSD 5.0.2 (OpenSSL 1.0.1e)
- OpenSUSE 12.2 (OpenSSL 1.0.1c)
- Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization Hypervisor 6.5 and Red Hat Storage 2.1 (OpenSSL 1.0.1e)
Non-impacted OS
- Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
- SUSE Linux Enterprise Server
- FreeBSD 8.4 (OpenSSL 0.9.8y 5 Feb 2013)
- FreeBSD 9.2 (OpenSSL 0.9.8y 5 Feb 2013)
- FreeBSD Ports (OpenSSL 1.0.1g at 7 Apr 21:46:40 2014 UTC)
What do I need to do?
First, you need to know whether you are impacted or not.
If so, follow the 3-steps procedure described below:
- Update your server OS to get the OpenSSl corrected version (then reboot)
- Request a free reissuance of your SSL certificate
- 2.1. Generate a new private key and a new CSR
- 2.2. Use our revocation form and check the "revoke" box
- After the installation on the server and if you did not ask for your certificate to be revoked, request an IMMEDIATE REVOCATION via your status page