April 14, 2014

HeartBleed – OpenSSL Issue

There has been a lot of media coverage of the HeartBleed issue in the last week. We have received many questions about this, so we want to try explain the issue and how it works in plain English.

Essentially, this issue relies on a very old and well used scam. Think of it in the sense of going to a bar counter, ordering drinks and paying for the round with a €20 note. When the  barman returns with your change, you tell him you gave him a €50, swear blind, so he then gives you the change of €50. You got back more than you should.

With HeartBleed, its kinda similar. In very simple form, you tell the server a word, and how many letters it contains and it gives you that back. But if you tell it a 4 letter word, and say that the word contains 500 letters, then it gives you back an answer with your 4 letters and then keeps reading more information to make up the missing letters and sends them to you. This extra information comes from the server memory in use and could contain information relating to another session (someone else logging in) or could be useless information.

But if you just keep repeating the request, you are bound to hit payload at some stage.

We updated any of our servers that were affected with the issue, with the patched version of openssl , so our customers can rest assured they are not susceptible to scans.

If you have a Dedicated or Virtual Server with Elive™ , that is not covered under a support maintenance contract, we recommend you login immediately and check if you have the issue , and update if needed.

On CentOS 5, there is no issue if you are using openssl 0.9.x
On CentOS 6, make sure you have openssl openssl-1.0.1e-16.el6_5.7 or v 1.0.1g

More information can be found at http://heartbleed.com