Heartbleed bug

"This server is vulnerable to Heartbleed. Update to the latest version of OpenSSL, replace the certificate on your web server or appliance, and reset end-user passwords that may have been visible in a compromised server memory."

Problem

The Heartbleed Bug is in the heartbeat extension of the OpenSSL cryptographic library. The cryptographic libraries in OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2-beta1 are vulnerable to the Heartbleed Bug attack. The Heartbleed Bug vulnerability is a weakness in the OpenSSL cryptographic library, which allows an attacker to gain access to sensitive information that is normally protected by the SSL and TLS protocols.

OpenSSL is an open-source toolkit that implements the Secure Sockets Layer (SSL) and Transport Security Layer Security (TLS) protocols, including a cryptographic library that employs cryptographic functions and supplies different utility functions. This cryptographic library is commonly implemented by servers on the Internet to secure much of the Internet's traffic.

An attacker can use the Heartbleed Bug attack to gain access to:

  • Encryption keys
    Attacker can use these keys to decrypt past and future secure communications to your website and to impersonate your website at any time.
  • User credentials
    Attacker can use your customers’ user names and passwords to access their information secured by your website.
  • Protected Content
    Attacker can access personal or financial details, private communications (email or instant messages), and documents.
  • Collateral
    Attacker can access leaked memory content, such as memory address and security measures.

Solution

Patch software

When securing your environment against the Heartbleed Bug, you'll need to patch OpenSSL on servers running vulnerable versions of OpenSSL, and software using affected versions of the OpenSSL library.

Upgrade to the latest version of OpenSSL (version 1.0.1g or later).

  • Servers
    Check your package manager for an updated OpenSSL package and install it. If you don't have an updated OpenSSL package, obtain the latest version of OpenSSL from your Service Provider.
  • Software
    Check for software patches released to fix the Heartbleed Bug vulnerability and install them. If you don't have software patches, contact your software vendor to obtain the latest patch and install it.
    Note: You may need to restart your software after it is patched to make sure the OpenSSL library is reset, and the Heartbleed Bug is removed from cached memory.

You may need to restart your software after it is patched to make sure the OpenSSL library is reset, and the Heartbleed Bug is removed from cached memory.

If you're unable to upgrade to the latest version of OpenSSL:

  • Rollback to OpenSSL version 1.0.0 or earlier.
  • Recompile OpenSSL with the OPENSSL_NO_HEARTBEATS flag.

Verify Heartbleed Bug vulnerabilities are patched

Use DigiCert Discovery to rescan your environment to make sure you are no longer vulnerable to the Heartbleed Bug attack.

Rekey, reissue, and install certificates

  • Rekey and reissue all the certificates on your affected servers.
    When reissuing certificates, make sure to generate new certificate signing requests (CSRs). See Create a CSR.
  • After servers and software are patched, and only after they are patched, install your reissued certificates.

Revoke replaced certificates

After installing reissued certificates, you need to revoke the certificates that were replaced. To get your certificates revoked, contact your Certificate Authority.

For DigiCert customers, email support at support@digicert.com. Make sure to include your certificate's order number and a brief description of what you want revoked.

Reset passwords

If your servers accept passwords, you should also have your clients reset their passwords, but only after servers and software are patched and certificates are rekeyed, reissued, installed, and revoked.

If clients reset their passwords before servers/software are patched and certificates are rekeyed, reissued, installed, and revoked, then their passwords were still exposed, and they must reset their passwords again.