MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2014

MA0382.042014: MyCERT Alert: OpenSSL Heartbleed Information Disclosure Vulnerability

Date Published: 8 April 2014
First Revision: 9 April 2014

1.0 Introduction

MyCERT received information from valid sources regarding a vulnerability that exist on OpenSSL Versions 1.0.1 through 1.0.1f that could disclose sensitive information belonging to users to an attacker.

The vulnerability allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. There is a possibility that this may compromise the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

2.0 Impact

The impact of this vulnerability is a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By using the sensitive information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.

3.0 Recommendation

MyCERT has provided a tool to assist system administrators checking whether their HTTPS websites affected by this vulnerability.

If your version of OpenSSL is affected by this vulnerability, you may refer to the below recommendations:

3.1 Apply an update

This vulnerability issue is addressed in OpenSSL 1.0.1g. User may contact their respective software vendor to check for availability of updates.

3.2 Disable OpenSSL heartbeat support

Another recommendation is to recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag. Software that uses OpenSSL, such as Apache or Nginx would need to be restarted for the chanages to take effect. End users may contact their respective software vendor to recompile the OpenSSL.

MyCERT generally advise users of this product to keep themselves updated with the latest security announcements by the vendor. If users have any enquiries on this matter, please reach us through the following channels:

E-mail :
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 on call incident reporting)
SMS : CYBER999 REPORT to 15888
Business Hours : Mon - Fri 09:00 -18:00 MYT

4.0 Reference