OpenSSL 安全漏洞 (CVE-2014-0160)

CVE-2014-0160,又稱 Heartbleed Bug,是 OpenSSL 在 TLS 與 DTLS 協定裡的 Heartbeat Extension (RFC 6520) 的錯誤實作。

OpenSSL 官方的 security advisory 在這:「OpenSSL Security Advisory [07 Apr 2014]」,影響的範圍是:

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

實務上爆炸的程度則是:

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

比較有描述性的說明可以參考「The Heartbleed Bug」這個站的敘述:

We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

由於 untraceable,這代表我們必須假設所有受影響機器上的 SSL private key 都已經被洩漏出去了,所有的 key 都必須 revoke 並且重新產生 (& 重新簽)。這兩天讓所有 SA 爆炸的超大新聞...

One thought on “OpenSSL 安全漏洞 (CVE-2014-0160)”

Leave a Reply

Your email address will not be published. Required fields are marked *