Heartbleed bug is a very serious bug present in OpenSSL cryptographic software library. This bug allowed leakage of sensitive information via the SSL/TLS encryption that was used to secure the internet. The SSL/TLS protocol was first introduced to provide better security and privacy for web applications like VPNs (Virtual Private Network), E-mail service and many more. The attacker can use this bug to read the memory of the application with any vulnerable versions of OpenSSL. The attacker can also use the secret keys to identify the service provider and can decrypt the network traffic to get sensitive information like user credentials and many more. Using this key, the attacker can also overhear the conservation between the clients and the server to extract sensitive information. An attacker can attack an application using old versions of OpenSSL without leaving any traces on the server log.
Impact
The impact for this vulnerability include:-
- A remote attacker can expose sensitive data about the server including user authentication credentials and secret keys.
Mitigation / Precaution
Beagle recommends the following for fixing this vulnerability:-
- Try not to use a vulnerable version of OpenSSL (eg: OpenSSL 1.0.1).
- To prevent data leakage, a developer can also use 3rd party vendors like Amazon web services.
- It is better to replace the SSL key used in the application.
- If the web application just faced an attack due to heartbleed, try to recommend a password change for the application’s users. This step would protect their data if there were a breach in the application.
