MA0382.042014: MyCERT Alert: OpenSSL Heartbleed Information Disclosure Vulnerability
Date Published: 8 April 2014
First Revision: 9 April 2014
MyCERT received information from valid sources regarding a vulnerability that exist on OpenSSL Versions 1.0.1 through 1.0.1f that could disclose sensitive information belonging to users to an attacker.
The vulnerability allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. There is a possibility that this may compromise the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
The impact of this vulnerability is a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By using the sensitive information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.
MyCERT has provided a tool to assist system administrators checking whether their HTTPS websites affected by this vulnerability.
If your version of OpenSSL is affected by this vulnerability, you may refer to the below recommendations:
3.1 Apply an update
This vulnerability issue is addressed in OpenSSL 1.0.1g. User may contact their respective software vendor to check for availability of updates.
3.2 Disable OpenSSL heartbeat support
Another recommendation is to recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag. Software that uses OpenSSL, such as Apache or Nginx would need to be restarted for the chanages to take effect. End users may contact their respective software vendor to recompile the OpenSSL.
MyCERT generally advise users of this product to keep themselves updated with the latest security announcements by the vendor. If users have any enquiries on this matter, please reach us through the following channels:
E-mail : firstname.lastname@example.org
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 on call incident reporting)
SMS : CYBER999 REPORT to 15888
Business Hours : Mon - Fri 09:00 -18:00 MYT