Heartbleed - What can you do about it?

The newly announced OpenSSL vulnerability is potentially one of the most serious vulnerabilities found in the last 10 years. People inherently trust SSL encrypted connections (i.e. https://yourbank.com ), which now has been turned on its head.  The details of how serious this bug is to the secure web infrastructure can be found at the below links.

• Heartbleed Bug
• Vulnerability Note VU#720951 - OpenSSL heartbeat information disclosure
• OpenSSL 'heartbleed' bug live blog | Fox-IT International blog
• [Emerging-Sigs] Emergency Heartbleed signatures 
• Alarming Open-Source Security Holes | MIT Technology Review
• SSegurança - blog.suffert.com: Heartbleed SSL Bug
• Top 1000 sites vulnerabillity status

Are you providing SSL encrypted Services?

If you are, you need to know if you are vulnerable and you should mitigate this risk right away.   The bug is contained in OpenSSL version 1.0.1 through 1.0.1f (inclusive), so how do you you know if you are running an affected version?  Since OpenSSL is an Open Source SSL project, the highest likelihood of using it is if you are using an open source operating system.

• It is very likely that if you are running Microsoft IIS, you are not using OpenSSL.
• If you are using any MacOS X, the latest version of OpenSSL shipped by Apple is OpenSSL 0.9.8y 5 Feb 2013, so you should be safe.
• If you are running RedHat or CentOS
  • Check your package - "rpm -q -a | grep ssl"  - check your package version
•  If you are running Ubuntu or Debian linux
  • "apt-cache search libssl | grep -i SSL"
• In general, you can type  "openssl version" to list the version on your system
• Commercial Software - If you bought a commercial software package that provides ssl based encryption, you need to check specifically with your vendor.
• If you are running VMware ESXi 5.5, you may also be vulnerable , login into the CLI
  • vmware -vl
  • openssl version -a |grep OpenSSL

If you are are vulnerable, you need to upgrade right away, but that may only be the beginning. Because someone may have exploited it and grabbed the right 64K of memory at the right time, you may need to revoke certificates, change all your user passwords and protect yourself from future malice.  If you run a site with a large user database, this could be a very large job, but the risk of you not changing everything is high and a possible attacker could come back and do harm to you with the information they previously gained.   The links provided above provide more details of the vulnerabilities and how to correct the situation, but the first step is to understand if you are vulnerable.