A critical vulnerability has been identified in OpenSSL versions 1.0.1 – 1.0.1f (CVE-2014-0160) and it is well explained on HeartBleed website. Exploiting the HeartBleed vulnerability. Basically, an attacker can exploit this vulerability to access memory data up to 64Kb and perform many attacks:
- Read SSL private keys (and use it to decrypt past, present and future encrypted traffic)
- Retrieve clear text username and passwords
- Access source code
There are many resources available online to better understand how the bug works and how to fix it (upgrading to OpenSSL version 1.0.1g or newer) as explained on OpenSSL website.
- Upgrade to OpenSSL 1.0.1g
- Regenerate your private keys and consider it as compromised
- Replace SSL certificates
- If possible upgrade to Perfect Forward Secrecy (PFS)
How can I test if my systems are vulnerable ?