The hottest OpenSSL surprise vulnerability H3C was

OpenSSL startled vulnerabilities, H3C released the protection features for the first time

ctiforum April 11 news (Li Wenjie): on the evening of April 8, the internationally famous security protocol OpenSSL broke a major security vulnerability. Heartbl experimenters can complete the basic control eed (heart bleeding) vulnerability of the experimental machine. Through this vulnerability, hackers can easily obtain privacy information such as users and passwords, cheat users to visit phishing stations, and cause a large number of users' privacy data to be stolen

as a security protocol that provides security and data integrity for network communication, it is one of the most common encryption protocols in the industry. At present, it is widely used in many Internet services such as major banks, e-commerce stations, payment, e-mail services and so on. Such a wide range of applications of the protocol also makes the vulnerability exposed this time have a great impact on the daily business operations of the entire Internet users

the heartbeat option included in the OpenSSL protocol allows the computer at the end of the SSL connection to send a short message to confirm that the computer is still connected and get a reply. The vulnerability revealed this time allows hackers to send fake malicious heartbeat information to induce the computer at the other end of the connection to leak information and read 64K content in memory. Through pattern matching and sorting of these contents, hackers can find keys, passwords and many personal information. Among them, the theft of encryption key will directly cause hackers to disguise the server and induce users to divulge all account passwords and other sensitive information. Considering that the access of bar s based on HTTP is often a safe access in the eyes of users with a general level of pull testing machine, users are likely to send important information such as credit card information and personal privacy information to hackers unprepared, resulting in further heavy losses

after learning the vulnerability information, H3C quickly started the emergency response mechanism and took the following measures:

1. Test and verify the full range of its products to clarify the impact of the vulnerability on H3C's own products (including HTTPS based management login method and SSL VPN products): after strict testing and verification, all products under H3C are not affected by the vulnerability, and users do not need to make changes to the existing H3C products

2. The security attack and defense team immediately developed application layer protection features for this vulnerability, and released the feature upgrade version in the company's official IPS (intrusion prevention products) feature library special area on April 9 to provide protection capabilities for H3C IPS users at the first time. The updated version number of the feature library is sec-ips-r1.2 It stipulates that when residential buildings use class A and B1 external insulation materials, there is no need to set up isolation belts "which is a very rare material 276_ EN。