Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

What is Heartbleed? A coding error that caused a security crisis

Josh Fruhlinger | Sept. 14, 2017
The mistake that caused the Heartbleed vulnerability can be traced to a single line of code in OpenSSL, an open source code library. Here's how Heartbleed works, how it was exploited, and how to fix it if you have an unpatched server.

The way to fix the Heartbleed vulnerability is to upgrade to the latest version of OpenSSL. You can find links to all the latest code on the OpenSSL website.

If you're curious about the code that implements the fix, you can look at it — after all, OpenSSL is open source:

* Read type and payload length first */

if (1 + 2 + 16 > s->s3->relent)

return 0;

/* silently discard */

hbtype = *p++;

n2s(p, payload);

if (1 + 2 + payload + 16 > s->s3->rrec.length)

return 0;

/* silently discard per RFC 6520 sec. 4 */

pl = p;

The first part of this code makes sure that the heartbeat request isn't 0 KB, which can cause problems. The second part makes sure the request is actually as long as it says it is.

If you discover that a server under your control has been left vulnerable for some time, there's more to do than just update the OpenSSL code. For instance, you should change the SSL certificates used by the servers, since they may have been compromised without leaving a trace. More pedestrian but still important: users who have accounts on the system should change their passwords.

 

Previous Page  1  2  3 

Sign up for Computerworld eNewsletters.