This new bug allows an attacker to read system memory remotely, without authentication. It has been reported that 60-70% of the Internet is affected. Immediate action should be taken to identify vulnerable systems within your environment and take necessary steps to mitigate risk associated with this critical vulnerability.
An attacker is able to exploit this vulnerability to read system memory, which can include confidential and/or sensitive data such as usernames and passwords, crypto keys, customer data, etc. Our engineers have successfully exploited this vulnerability within our testing environment, and exploit code is already publicly available.
We will be posting a tool this week that will allow large organizations to scan their systems without using untrusted third-party scripts. Unlike verification services available on the Internet today, which offer one-off hostname server verification testing (of a single system), our tool is designed to provide full verification coverage for the HeartBleed bug across your entire environment.
Update: We released the HeartBleed exploit code. Review our simple mobile banking exploit example or request your copy of the Heartbleed exploit code.
It is important to verify that updating OpenSSL has fully resolved the issue. Sometimes, services may need to be restarted, which can easily be missed by OPs teams. Therefore, scanning the environment before and after systems have been patched is the preferred approach to ensure issues have been properly resolved.
It is critical that you upgrade OpenSSL to the latest version. Note that services based on SSL may need to be restarted for the fix to take effect.
Additionally, you should consider the following steps: