A two year old vulnerability in OpenSSL–the default cryptographic library used in many software applications (including web servers, operating systems, email, and instant-messaging clients)–has been discovered. This vulnerability could make it possible for external parties to mine server memory for data including private encryption keys, passwords, and other credentials.
If you are hosting a web server using a vulnerable version of OpenSSL (including most variants of Linux), it is recommended that you:
* Patch the OpenSSL vulnerability
* Revoke and re-issue TLS certificates
* Change any credentials that could have been compromised
* Enable Perfect Forward Secrecy (PFS) if possible
As always, it is highly recommended that all software be kept up-to-date to the latest patch version, if possible.
Redspin will continue to analyze this attack vector and, if possible, will identify specific methods to block. You can test the stance of your externally-facing web servers at: http://filippo.io/Heartbleed/ (NOTE: The site is quite busy and may be susceptible to False Negatives due to server load.)
Further details on the vulnerability may be found at: heartbleed.com