Heartbleed Bug Security Update
On April 7th 2014, a major security flaw known as the "Heartbleed Bug" was announced worldwide. The bug affects the widely used TLS encryption software known as "openSSL". The Heartbleed bug gains access into the memory of secured systems, allowing intruders to gain access to sensitive data including passwords or private keys to the SSL certificates used to secure a system. This bug affects a wide range of systems and is a major concern for anyone, or organization, using SSL encrypted connections. HEXONET would like to assure our clients and partners, as well as provide information on how to check for the bug on your own systems.
After a full review and audit, HEXONET can assure our clients and partners that the secure connections for our system were never affected by the Heartbleed Bug.
Checking Your Own Systems:
If you are using SSL certificates to protect your services, you should immediately check if your systems are affected:
- Check your openSSL version: the openSSL versions affected by this bug are 1.0.1 to 1.0.1f and 1.02-beta. With 1.0.1g the bug has been fixed.
- You can test your system by visiting this link: https://filippo.io/Heartbleed/
- Alternatively, you can test your system from the command line by using this command: openssl s_client -connect example.com:443 -tlsextdebug 2>&1| grep server extension "heartbeat" (id=15)' || echo safe
How to Resolve Affected Systems:
- Update your openSSL libraries to at least 1.0.1g (please note that depending on your OS version the openSSL library version to fix the bug may be different. The build date be after April 7th, 2014).
- Restart any services depending on the upgraded openSSL libraries.
- Check your system for vulnerability one more time to check if it is safe now.
- Revoke your current certificates since they might have been compromised and can be used for man-in-the-middle-attacks.
- Reissue your certificates with newly created private keys and CSRs.
- Roll out the new certificates and again restart your services.
- Change sensitive passwords and advise your customers to do so accordingly.