HeartBleed Bug

- - posted in Technical | Tagged as openssl, security | Comments

Hey Guys,

Few days ago, A mother of all bugs in internet world was discovered, a new vulnerability CVE-2014-0160 was announced in OpenSSL 1.0.1.

An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen.

HeartBleed SVG image

As Bruce Schneier, a renowned security expert, said in a blog post on Wednesday:

“Heartbleed is a catastrophic bug … on a scale of one to 10, it is an 11.”

According the Heartbleed website dedicated for this bug:

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.




When an attacker can reach a vulnerable service he can abuse the TLS heartbeat extension to retrieve arbitrary chunks of memory by exploiting a missing bounds check. This can lead to disclosure of your private keys, resident session keys and other key material as well as all volatile memory contents of the server process like passwords, transmitted user data (e.g. web content) as well as other potentially confidential information.

An attacker can grab 64K of memory from a server. The attack leaves no trace, multiple times to grab a different random 64K of memory.
This means that anything in memory , like SSL private keys, user keys,passwords , anything is vulnerable.
And you have to assume that it is all compromised. All of it.



HeartBleed xkcd cartoon



After being out there in wild for almost around 2 years, The heartbleed bug was fixed by openssl community on 7th April 2014.

Users are encouraged who are running a server that uses OpenSSL to upgrade to version 1.0.1g to be protected from this vulnerability. For previous versions of OpenSSL, re-compiling with the OPENSSL_NO_HEARTBEATS flag enabled will protect against this vulnerability. OpenSSL 1.0.2 will be fixed in 1.0.2-beta2.

You must also assume that at least your used server keys are compromised and therefore must be replaced by newly generated ones. Simply renewing existing certificates is not sufficient! - Please generate NEW keys with at least 2048 bit RSA or stronger!



Here are a few tips and resources you may find helpful:

  • Ensure that you upgrade your system to a fixed OpenSSL version (1.0.1g or above).
  • You can also test your website to see if it’s vulnerable to attack – http://filippo.io/Heartbleed/ and http://possible.lv/tools/hb/
  • Only then create new keys for your certificates.
  • Revoke all certificates, which may be affected.
  • Check what services you have used that may have been affected within the last two years.
  • Wait until you think that those environments got fixed.
  • Then (and only then) change your credentials for those services. If you do it too early, i.e. before the sites got fixed, your data may be leaked, again. So be careful when you do this.
  • Mashable have compiled list of which websites and organizations are vulnerable – from banks to social media sites.


An (incomplete) list of commonly used software which include or link to OpenSSL can be found here.


Sources:

heartbleed.com
Test for vulverabilty and Test for vulverabilty - 2
What you need to know - FAQ attack-of-week-openssl-heartbleed
diagnosis-of-the-openssl-heartbleed-bug
A simple explanation at security.stackexchange.com, on how-exactly-does-the-openssl-tls-heartbeat-heartbleed-exploit-work
half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug
critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style
A renowned security expert, schneier Blog
Neel Mehta donates Heartbleed bounty to Freedom of the Press Foundation
Hacker News Thread
Sites which have patched the Bug