DIGICERT has received information from Malaysian Computer Emergency Response Team (MyCERT) regarding vulnerability that exists on OpenSSL Versions 1.0.1 through 1.0.1f that could disclose sensitive information belonging to users to an attacker.

The vulnerability allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. There is a possibility that this may compromise the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

What is the impact to users?

The impact of this vulnerability would allow a web attacker to remotely be able to retrieve sensitive information, such as secret keys. By using the sensitive information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.

What you should do?

Detect:

Malaysian Computer Emergency Response Team (MyCERT) has provided a tool to assist system administrators to check whether their HTTPS websites affected by this vulnerability.

http://heartbleed.honeynet.org.my

If your version of OpenSSL is affected by this vulnerability, you may refer to the below recommendations:

You may apply an update:

This vulnerability issue is addressed in OpenSSL 1.0.1g. User may contact their respective software vendor to check for availability of updates.

Or Disable OpenSSL heartbeat support:

Another recommendation is to recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag. Software that uses OpenSSL, such as Apache or Nginx would need to be restarted for the changes to take effect. End users may contact their respective software vendor to recompile the OpenSSL.

Digicert would like to generally advise users of OpenSSL Versions 1.0.1 through 1.0.1f to keep themselves updated with the latest security announcements by the vendor. If users have any enquiries on this matter, please reach Malaysian Computer Emergency Response Team (MyCERT) through the following channels:

• E-mail : [email protected]
• Phone : 1-300-88-2999 (monitored during business hours)
• Fax : +603 89453442
• Handphone : +60 19 2665850 (24x7 on call incident reporting)
• SMS : CYBER999 REPORT to 15888
• Business Hours : Mon - Fri 09:00 -18:00 MYT
• Web : http://www.mycert.org.my

Further Reading:

• http://heartbleed.com/
• http://www.kb.cert.org/vuls/id/720951
• https://www.openssl.org/news/secadv_20140407.txt
• http://www.businessinsider.my/heartbleed-bug-explainer-2014-4/#.U0eY7ldR-P0

Tags: openssl heartbleed