Heartbleed Bug in OpenSSL
Posted: 2015-12-01 by
A fatal Bug apparently compromised encryption keys and data of the secured connections with OpenSSL.
The developers of OpenSSL release an update of their widespread encryption library: A programming error allows each communication partner to read the memory of the remote station. Specifically this means that an attacker can steal keys, passwords and other private information.
The finder of the vulnerability speak of the Heartbleed Bug because the error was found in the heartbeat function. Due a missing verification of memory access, an attacker can read up to 64 Kbytes of the remote site. According to the description, it was possible to steal the secret key of a server certificate, user names, passwords and encrypted transmitted data such as e-mails. And all this without leaving any traces on the server.
Primarily affected are now all operators of servers that use SSL for encryption. These are not only web servers, but also E-Mail, VPN and other services. It is extremely important to update these systems as soon as possible.
Security Advisory: OpenSSL: TLS heartbeat read overrun (CVE-2014-0160)
