Click me
Transcribed

Heartbleed Bug

Skipped a heartbeat? KNOW MORE ABOUT THE HEARTBLEED BUG The heartbleed bug allows anyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software "HELLO11030234JFHISK$) %)W@)%SECURE$#@KLKS ACONFIDENTIAL("(#"$#$K DSDKJ"("$#PRIVATE&*&"C RITICAL"(##SECRET*****LK That's quite a find! Glad my request LKLLLK2233CLASSIFIED**** Will they ever find was not validated! DATAINMEMORY" out? Are you there? Send me "HELLO" 500 Bytes Exploitation using a malformed data request in a heartbeat message. Is "HELLO" 500 Bytes? This vulnerability permits an attacker to read additional information from memory. The server fails to detect an invalid memory access in what appears to a regular heartbeat request. What is compromised? Umm.. Now that I have the keys, I can try deciphering the data I stole already or let me steal more... I could also tune in to the traffic and may be start transacting using someone else's account! Secure keys, names and passwords of users and much more... ****** Compromised secret keys allow attackers to eavesdrop on communications, steal data from and impersonate services and users. Versions Impacted Versions NOT Impacted OpenSSL OpenSSL Over 2/3 rds of OpenSSL 1.0.1 through 1.0.1f (inclusive) OpenSSL 1.0.1g OpenSSL 1.0.0 OpenSSL 0.9.8 Internet Web Servers running bug ridden OpenSSL versions OS OS Deblan Wheezy (stable), OpensSL 1.O.1e-2+deb7u4 Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11 CentoS 6.5, OpenSSL 1.0.1e-15 Fedora 18, OpenSSL 1.0.1e-4 OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) Open BSD 5.4 (OpenSSL 1.0.1c 10 May 2012) FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013 NetBSD 5.0.2 (OpenSSL 1.0.1e) OpenSUSE 12.2 (OpenSSL 1.0.1c) Deblan Squeeze (oldstable), OpensSL 0.9.80-4squeeze14 SUSE Linux Enterprise Server FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013 FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013 FreeBSD 10.0p1 - OpenSSL 1.0.1g (At 8 Apr 18:27:46 2014 UTC) FreeBSD Ports - OpensSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC) are vulnerable! The Heartbleed Bug When? Discovery + identification Upto 64 KB of Introduced on By a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security server memory can be leaked due to this Dec 2011 along with OpenSSL 1.0.1 release on 14 MAR 2012 Security company Codenomicon gave Heartbleed both a name and a logo Fixed on 7 APR 2014 release of OpenSSL 1.0.1g vulnerability Where? Bug is in the OpenSSL implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520) Why? Improper input validation (due to a missing bounds check) In the implementation of TLS heartbeat extension resulting in leak of memory contents Official reference for Heartbleed Bug CVE-2014-0160 The Fix OPENSSL ORGANIZATIONS WEB USERS Fix by OpenSSL Team Change ALL your passwords! SOFTWARE DEVELOPERS • Use fixed version 1.0.1g or newer • Recompile OpenSSL with the handshake removed from the code by complle time option DOPENSSL_NO_HEARTBEATS COUNTLESS DATA TRANSFERS, INFORMATION EXCHANGES, MESSAGES AND TRANSACTIONS IN THE WORLD WIDE WEB SAVE YOURSELF FROM HEARTBLEED Sources: 1. http://heartbleed.com/ 2. http://en.wiklpedla.org/wiki/Heartbleed 3. http://www.buzzfeed.com/charlewarzel/heartbleed-is-the-massive-security-flaw-that-could-affect-up TEVI.CO O TEVI.CO 2014 ALL RIGHTS RESERVED www.tevi.co O TEVICO2014 ALL RIGHTS RESERVED

Heartbleed Bug

shared by tevico on Aug 20
341 views
6 shares
0 comments
An infographic aimed at explaining the what, where, how and why of the Heartbleed bug, a serious vulnerability in the popular OpenSSL cryptographic software library.

Publisher

TEVICO

Designer

TEVICO

Category

Technology
Did you work on this visual? Claim credit!

Get a Quote

Embed Code

For hosted site:

Click the code to copy

For wordpress.com:

Click the code to copy
Customize size