TL;DR: Run, as in now, before you finish reading this, to update vulnerable OpenSSL packages. Restart your OpenSSL using services (ssh, https, openvpn). Then nuke your keys, and start all over again.
Yeah, its that bad.
I had hoped, incorrectly, that no one would start asking, “hey, can we exploit this in the wild?” any time soon.
Unfortunately … exploits are live and out there. Have a look at this session hijacking done using the bug.
Understand this leaves no trace, no fingerprints. Since the server memory, with primary key data (yes, the secret key used to encrypt bits) is completely vulnerable, and obtainable … yeah … this is not good.
Patch, restart services or machines, nuke your keys, hide your young and get your rifle ready. The barbarians are at the gates and are exploiting a weakness.
Viewed 106913 times by 7163 viewers