OpenSSL Heartbeat Information Disclosure Vulnerability
RISK: Extremely High Risk
TYPE: Operating Systems - Networks OS
A vulnerability has been identified in OpenSSL. A remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.
For details about the impact and how to verify whether your server or device is affected, please refer to our blog article:
Note: This vulnerability is being actively exploited in the wild.
Impact
- Information Disclosure
- Spoofing
System / Technologies affected
- OpenSSL version 1.0.1 to 1.0.1f
- OpenSSL version 1.0.2-beta1
- Affected Vendor information list
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- For OpenSSL version 1.0.1 - Update to version 1.0.1g
- For OpenSSL version 1.0.2--beta1 - Update to version 1.0.2-beta2
- [2014-04-15 update] Fix available for CISCO products:
https://isc.sans.edu/diary/Heartbleed+Fix+Available+for+Download+for+Cisco+Products/17951 - For details about how to verify whether your server or device is affected, please refer to our blog article:
/my_url/blog/14041501
Vulnerability Identifier
Source
Related Link
Share with