The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a part of the Deparment of Homeland Security, has warned that the first sightings of exploits seeking to take advantage of well-publicised security flaws in OpenSSL have appeared in the wild.
OpenSSL is an open-source security tool widely used to encrypt passwords when people log-in to a system. A flaw in the implementation of OpenSSL could allow the private key used in a Secure Sockets Layer (SSL) communication to be exposed. An attacker could then decrypt and read any secure data passed on the network link.
In a freshly revised alert, the organisation warned that there are already indications that exploits have emerged to take advantage of the security flaw.
"ICS-CERT is aware of a public report of a vulnerability with proof-of-concept (PoC) exploit code that could expose private SSL keys used in the OpenSSL implementation of secure communication," claims the advisory.
It continues: "According to this report, the vulnerability in OpenSSL Versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the transport layer security/datagram transport layer security (TLS/DTLS) heartbeat functionality that could disclose private/encrypted information to an attacker.
Ironically, while the ICS-CERT, one part of the US government, is battling to minimise the fall-out from the security flaw, another part of the US government - the US National Security Agency, predictably enough - has covertly been exploiting the flaw for at least two years, according to reports out today.