Newly Discovered Heartbleed Security Flaw Affects Many Internet Applications

By Mark Maxey, Rob Dixon, Mark Heneghan ·

The recently discovered Heartbleed Bug represents a serious vulnerability within the OpenSSL cryptographic library (CVE-2014-0160) used to encrypt communications between web applications, email exchanges, instant messaging clients and some SSL-based virtual private network connections. We’ve just released a detailed paper that provides more information on the Heartbleed Bug, its implications and recommendations for remediation. You can check it out here.

Why is this so serious? The vulnerability allows potential attackers to view the memory of normally protected systems running the vulnerable versions of the OpenSSL software. It enables an attacker to gain access to the contents of a web server memory or other exposed services, allowing for the theft of usernames and passwords, credit card information, session tokens or configuration file contents. Though unlikely, unprotected SSL private keys could also allow attackers to decrypt intercepted traffic.

Because OpenSSL provides the SSL implementation for mainstream products and applications, many are affected by the Heartbleed vulnerability. Whether or not an individual product is vulnerable depends on the linked version of OpenSSL used to build the application, or the installed library version.

A number of tools and signatures have been developed to address the situation, including both online tools and standalone tests. And, many vendors are working to release updates to identify the presence of the SSL Heartbleed attack within their products by the end of the week.

Mark Maxey

VP of Intelligence Operations

Mark Maxey is VP of intelligence operations with Optiv. In this role, Mark manages our global threat intelligence center, SIEM, threat analysis and endpoint security teams.

Rob Dixon

Principal Consultant

Rob Dixon is a principal security consultant in Optiv's MSS threat intelligence operations where he leads the advanced threat analysis (ATA) team. Previously he worked on Accuvant LABS’ attack and penetration team and vulnerabilities and exposures team performing network, web application, physical and wireless penetration tests. Rob has over 15 years of pure security experience with a strong focus on intrusion and incident response efforts and cyber counter intelligence tactics.