Heartbleed Should Give You Cardiac Arrest

Wednesday, April 09, 2014

Tripwire Inc


When we look at concerning security issues, there are always considerations such as how long a vulnerability has existed before it’s been discovered, how pervasive it is or how likely it is to affect a large population of systems, processes, and users, and also how much damage it could do if exploited. If these are combined, you have the trifecta of grave concern in the security community on the “Heartbleed” vulnerability, publicly announced April 7, 2014.

How bad is it? Estimates are over 66% of active websites on the internet may be vulnerable to this bug, found in OpenSSL, an open source cryptographic library used in the Apache web server and ignx when creating communications with users. How much damage can it do if exploited? Think big. Think ‘keys to the kingdom’ big. And how do you know if you’ve been exploited? You don’t – assume you may have. This is definitely run don’t walk material for security professionals.

OpenSSL is used every day in apps, websites, government sites, and even used to  transmit encrypted data such as credit card information, passwords, user IDs, etc. This PPI may be leaked from server memory where it’s commonly stored for operations and unfortunately can be exploited through the Heartbleed bug, including security keys used for encryption and decryption of the information.

Furthermore OpenSSL is used to protect for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software.  OpenSSL is very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates. Fortunately many large consumer sites could be saved by a conservative choice to use SSL/TLS termination equipment and software.

The exploit relies on a bug in the implementation of OpenSSL’s “heartbeat” feature, hence the “Heartbleed” name (CVE-2014-0160). Security researchers at the firm Codenomicon and Neel Mehta of Google security have discovered reported it to the OpenSSL team. Codenomicon has written an in-depth breakdown of their experience:

“We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”

Heartbleed is not just bad, it’s very, very bad. The bug has been in OpenSSL since December 2011, (OpenSSL versions 1.0.1 through 1.0.1f) – so it’s safe to assume that others have found it and it’s reasonable to assume that it has been exploited by the hacker community for some time. Even worse, it appears that exploiting this bug leaves no trace in the server’s logs. This means that there’s no easy way for a system administrator to know if their servers have been compromised; they just have to assume that they have been.

Here are a few examples of how this exploit could have been used in your environment:

  • An attacker can (and possibly already has been) accessing your site/server system’s memory (albeit in 64-byte chunks) and gathering the secret keys used to encrypt and decrypt communications. This means sensitive data would be read just like open text by an attacker – as if no encryption existed at all.
  • Once an attacker has the keys they can also mimic a secure website or server, and essentially overcome any browser-built security checks your system may have in place.
  • Once the attacker has the keys, they could gather petabytes of encrypted data and easily decrypt it.

Run, don’t walk, to get the information you may need for your environment. OpenSSL released an emergency patch for the bug along with a Security Advisory on April 7, 2014. You should consider applying this patch immediately if you’re using the Apache web server or ignx and OpenSSL. Refer towww.heartbleed.com for useful details you can use.

Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

This was cross-posted from Tripwire's The State of Security blog.

Breaches CVE DB Vulns US-CERT Privacy Vulnerabilities Webappsec->General
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.