Heartbleed (CVE-2014-0160) is a bug that was recently detected in OpenSSL’s implementation of the TLS/DTLS heartbeat extension.  The bug allows an attacker to expose the memory contents of the server to the client, and vice versa.

OpenSSL is a library that is used by many applications and Internet sites to provide cryptographic services.  It is used by VPNs, Websites, and even some applications.

In a worst case scenario, it could be possible for a site’s private cryptographic key to be exposed to an attacker.  The attacker could then utilize this key to perfom a man in the middle attack (effectively the attacker could pose as the site and trick users into communicating confidential information to the attacker rather than the intended recipient).  For a simple illustration of how the exploit works, have a look at this web comic by xkcd.

Because exploiting the bug does not leave any trace, there is no way of knowing what sites if any have been compromised.  As such, the general recommendation to end users is to change all of your passwords immediately.

Password management website LastPass has put together a tool you can use to check if your favorite site was affected by Heartbleed.  You can access it here.

Business that run secure websites and/or VPN’s should examine their systems and determine if it is necessary to reissue cryptographic keys.  Affected versions of OpenSSL are as follows:

OpenSSL 1.0.1 through 1.0.1f are vulnerable.
OpenSSL 1.0.1g is NOT vulnerable.
OpenSSL 1.0.0 and earlier are NOT vulnerable.

If you are concerned whether your systems are affected by this bug, please contact us for a consultation and we can advise you on what steps your business needs to take.