========================================
·
OpenSSL 1.0.1
through 1.0.1f
·
OpenSSL
1.0.2-beta
Overview
A vulnerability in OpenSSL could allow a remote attacker
to expose sensitive data, possibly including user authentication credentials
and secret keys, through incorrect memory handling in the TLS heartbeat
extension.
Description
OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in
its implementation of the TLS/DTLS heartbeat functionality. This flaw allows an
attacker to retrieve private memory of an application that uses the vulnerable
OpenSSL library in chunks of 64k at a time. Note that an attacker can
repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory
as are necessary to retrieve the intended secrets. The sensitive information
that may be retrieved using this vulnerability include:
·
Primary key
material (secret keys)
·
Secondary key
material (user names and passwords used by vulnerable services)
·
Protected
content (sensitive data used by vulnerable services)
·
Collateral
(memory addresses and content that can be leveraged to bypass exploit
mitigations)
Exploit code is
publicly available for this vulnerability. Additional details may be
found in CERT/CC Vulnerability
Note VU#720951.
Impact
This flaw allows a remote attacker to retrieve private
memory of an application that uses the vulnerable OpenSSL library in chunks of
64k at a time.
Solution
OpenSSL 1.0.1g has been
released to address this vulnerability. Any keys generated with a
vulnerable version of OpenSSL should be considered compromised and regenerated
and deployed after the patch has been applied.
US-CERT
recommends system administrators consider implementing Perfect Forward Secrecy
to mitigate the damage that may be caused by future private key disclosures.
References
Revisions
·
Initial
Publication
======================================
In addition to this blog, I have authored the premiere book on Netiquette, " Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ Rider University and PSG of Mercer County, NJ.
======================================
In addition to this blog, I have authored the premiere book on Netiquette, " Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ Rider University and PSG of Mercer County, NJ.
No comments:
Post a Comment