OpenSSL Severe Vulnerability in TLS Heartbeat Extension (CVE-2014-0160)

There is a severe vulnerability in OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). This a serious vulnerability which has been assigned the CVE identifier CVE-2014-0160.

Exploitation may lead to disclosure of memory contents from the server to the client and from the client to the server. An attacker can remotely retrieve sensitive data from memory, including, but not limited to secret keys used for SSL encryption and authentication tokens.

For more information on the attacks see heartbleed.com.

How is Ruby affected?

Ruby is affected when statically compiled against a vulnerable version of OpenSSL through the standard library OpenSSL C extension.

OpenSSL versions 1.0.1 through 1.0.1f (inclusive) are vulnerable to this attack. To verify which version of the OpenSSL library you link to Ruby, use the following:

ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)'

To verify the version of OpenSSL currently installed with Ruby, use the following:

ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'

You can verify if your client software or a running service are vulnerable by using emboss’s script.

Solutions

To upgrade to the latest version of OpenSSL version 1.0.1g or newer, you should check with your current operating system package manager to ensure they provide an up-to-date OpenSSL. You may need to consult with your operating system distributor to verify their version of OpenSSL is patched, regardless of the version number available.

If upgrade is not an option, recompile a patched OpenSSL with the option -DOPENSSL_NO_HEARTBEATS at build time.

With an upgraded OpenSSL, it’s recommended to recompile Ruby to ensure there are no links to a vulnerable version of OpenSSL.

This means updating any tools used to build Ruby such as RVM or ruby-build. If you build Ruby yourself, use the --with-openssl-dir option at compile time to link an upgraded OpenSSL install directory.

$ ./configure --with-openssl-dir=/path/to/openssl
$ make
$ make install

After upgrading OpenSSL and Ruby, it’s important to restart all programs using the vulnerable version.

Many operating system distributions already provide (or will soon be providing) patched versions and rebuilt packages for libraries vulnerable to this attack. It’s important to monitor your operating system distributor to ensure you remain secure.