当前位置：首页 → 问答吧 → OpenSSL被发现含有严重Bug

OpenSSL被发现含有严重Bug

时间：2014-04-23

来源：互联网

据 http://heartbleed.com/
OpenSSL library有一个持续两年未被公开的Bug, 可让攻击者取得SSL加密Key, LoginID, Password...等东西

这次影响甚大, Apace, Ngnix Server, VPN connections, 等等服务可能大半已受影响, 而修正档还是昨天, 2014-04-07,才发出的

谁有Server的, 最好密切留意事件发展, 并更新自己的Server.

作者: MikamiTomoya 发布时间: 2014-04-23

1. OpenSSL跟个人电脑保安无关,这个bug exploit "Heartbleed"-漏洞存在已久但不为人知。黑客系可以利用这bug exploit入侵用OpenSSL server盗取储存客户资料。

引用:
The bug, dubbed “Heartbleed,” allows a hacker to easily trick a server running OpenSSL into revealing decryption keys stored on a server’s memory.

引用:
“Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL,” warned Codenomicon, the cybersecurity firm that found and published information about Heartbleed on Monday night.

好消息是OpenSSL已於7/4释出紧急patch修补这漏洞。
The good news is that OpenSSL released an emergency patch to protect against Heartbleed.

引用:OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley and Bodo Moeller for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

更加令人鼓舞的好消息是一直未有任何资料显示黑客曾经利用这Heartbleed去做违法嘢:
(可能连黑客都未发现这bug exploit)