Security Advisory regarding the OpenSSL Vulnerability [CVE-2014-0160]
Josh Frazier -
PROBLEM DESCRIPTION
The issue is that the OpenSSL library version 1.0.1 (versions 1.0.1 to 1.0.1f) contains a securityflaw, which allows an attacker to trick the server into returning 64kB of memory from the server process memory. This can be done without having to log in or authenticate first. The reason for this is a feature called “heart beat” (RFC 6520) which was added to OpenSSL version 1.0.1. When the feature was added, a flaw allowed the client to request that the server return 64kB of data. Depending on what this data contains, the attacker may gain access to user credentials or certificates.
For more information, please refer to these articles:
Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping
Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style
To find out more and how to protect your devices, visit:
http://portalgb.knowledgebase.net/article.aspx?article=314301&p=4739
TeleFlex Networks
1510 Primewest Parkway | Suite 800
Katy, TX 77449