A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. At that time, some 17 percent (around half a million) of the Internet's secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers' private keys and users' session cookies and passwords. The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug "catastrophic". Forbes cybersecurity columnist Joseph Steinberg wrote, "Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet."
A United Kingdom Cabinet spokesman recommended that "People should take advice on changing passwords from the websites they use... Most websites have corrected the bug and are best placed to advise what action, if any, people need to take." On the day of disclosure, the Tor Project advised anyone seeking "strong anonymity or privacy on the Internet" to "stay away from the Internet entirely for the next few days while things settle."
Heartbleed is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160. The federal Canadian Cyber Incident Response Centre issued a security bulletin advising system administrators about the bug.
History
Appearance
The Heartbeat Extension for the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols is a proposed standard specified by RFC 6520, published in February 2012. It provides a way to test and keep alive secure communication links without the need to renegotiate the connection each time.
In 2011, Robin Seggelmann, then a Ph.D. student at the University of Duisburg-Essen, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL, his change was reviewed by Stephen N. Henson, one of OpenSSL's four core developers. Henson apparently failed to notice a bug in Seggelmann's implementation, and introduced the flawed code into OpenSSL's source code repository on December 31, 2011. The vulnerable code was adopted into widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable by default.
Discovery
According to Mark J. Cox of OpenSSL, Neel Mehta of Google's security team reported Heartbleed on April 1, 2014. The bug entailed a severe memory handling error in the implementation of the Transport Layer Security Heartbeat Extension.This defect could be used to reveal up to 64 kilobytes of the application's memory with every heartbeat.
The bug was named by an engineer at the firm Codenomicon, a Finnish cybersecurity company, which also created the bleeding heart logo, and launched the domain Heartbleed.com to explain the bug to the public. According to Codenomicon, Neel Mehta first reported the bug to OpenSSL, but both Google and Codenomicon discovered it independently.Codenomicon reports April 3 as their date of discovery of the bug and as their date of notification of NCSC-FI (formerly known as CERT-FI) for vulnerability coordination. Mehta also congratulated Codenomicon, without going into detail.
The Sydney Morning Herald published a timeline of the discovery on April 15, which shows that some of the organizations were able to patch against the bug before its public disclosure. In some cases, it is not clear how they found out.
Resolution
On March 21, 2014 Bodo Moeller and Adam Langley of Google wrote a patch that fixed the bug. The date of the patch is known from Red Hat's issue tracker. The next chronological date available from the public evidence is the claim by CloudFlare that they fixed the flaw on their systems on March 31, 2014.
Exploitation
The Canada Revenue Agency reported the theft of Social Insurance Numbers belonging to 900 taxpayers, and stated that they were accessed through an exploit of the bug during a 6-hour period on April 8. When the attack was discovered, the agency shut down its web site and extended the taxpayer filing deadline from April 30 to May 5. The agency said it will provide anyone affected with credit protection services at no cost. On April 16, the RCMP announced they had charged an engineering student in relation to the theft with "unauthorized use of a computer" and "mischief in relation to data".
In another incident, the UK parenting site Mumsnet had several user accounts hijacked, and its CEO was impersonated. The site published an explanation of the incident.
On April 12, at least two independent researchers were able to steal private keys using this attack from an experimental server intentionally set up for that purpose by CloudFlare.
It was reported by a professor at University of Michigan that a computer in China that had been used for hacking and other malicious activities attempted on April 16, 2014 to exploit Heartbleed to attack a university server, which was actually a honeypot intentionally left vulnerable, designed to attract attacks which could then be studied.
Claims of possible knowledge and exploitation prior to disclosure
Many major web sites patched or disabled the bug within days of its announcement, but it is unclear whether potential attackers were aware of it earlier and to what extent it was exploited. Based on examinations of audit logs by researchers, it has been reported that some attackers may have exploited the flaw for at least five months before discovery and announcement.Errata Security pointed out that a widely used non-malicious program called "Masscan", introduced six months before Heartbleed's disclosure, abruptly terminates the connection in the middle of handshaking in the same way as Heartbleed, generating the same server log messages, adding "Two new things producing the same error messages might seem like the two are correlated, but of course, they aren't".
According to Bloomberg News, two unnamed insider sources informed it that the United States National Security Agency was aware of the flaw since shortly after its introduction, but chose to keep it secret, instead of reporting it, in order to exploit it for their own purposes.The NSA has denied this claim, as has Richard A. Clarke, who was a member of an advisory panel that reviewed the United States' electronic surveillance policy; he told Reuters on 11 April 2014 that the NSA had not known of Heartbleed
Behavior
A depiction of Heartbleed
The RFC 6520 Heartbeat Extension tests TLS/DTLS secure communication links by allowing a computer at one end of a connection to send a “Heartbeat Request” message, consisting of a payload, typically a text string, along with the payload’s length as a 16-bit integer. The receiving computer then must send the exact same payload back to the sender.
Heartbleed is exploited by sending a malformed heartbeat request with a small payload and large length field to the server in order to elicit the server's response, permitting attackers to read up to 64 kilobytes of server memory that was likely to have been used previously by OpenSSL. Where a Heartbeat Request might ask the server to "send back the four-letter word 'bird'", resulting in a server response of "bird", a malicious Heartbleed Request of "send back the 500-letter word 'bird'" would cause the server to return "bird" followed by whatever 496 characters the server happened to have in active memory. Attackers in this way could receive sensitive data, compromising the security of the server and its users. Vulnerable data include the server's private master key, which would enable attackers to decrypt current or stored traffic via passive eavesdropping (if perfect forward secrecy is not used by the server and client), or active man-in-the-middle attacks if perfect forward secrecy is used. The attacker cannot control which data are returned, as OpenSSL typically responds with the chunks of memory it has most recently discarded.
The affected versions of OpenSSL allocate a memory buffer for the message to be returned based on the length field in the requesting message, without regard to the size of actual payload in that message. Because of this failure to do proper bounds checking, the message returned consists of the requested payload followed by whatever else happened to be in the allocated memory buffer. The problem was compounded by OpenSSL's decision to write its own version of the C dynamic memory allocation (malloc and free) routines. As a result, the oversized memory buffer returned to the requestor was likely to contain data from memory blocks that had been previously requested and freed by OpenSSL. Such memory blocks may contain sensitive data sent by users or even the private keys used by OpenSSL. In addition, by using its own memory management routines OpenSSL bypassed mitigation measures in some operating systems that might have detected or neutralized the bug.
The bug might also reveal unencrypted parts of users' requests and responses, including any form post data in users' requests, session cookies and passwords, which might allow attackers to hijack the identity of another user of the service.
Client-side vulnerability
In what the Guardian dubbed "reverse Heartbleed", malicious servers are able to exploit the Heartbleed vulnerability to read data from the client's memory such as usernames and passwords.Security researcher Steve Gibson stated "it's not just a server-side vulnerability, it's also a client-side vulnerability because the server, or whomever you connect to, is as able to ask you for a heartbeat back as you are to ask them."Google has confirmed that Android version 4.1.1 (Jelly Bean) has the Heartbleed bug. This affects approximately 50 million Android devices and remains unpatched
Affected OpenSSL installations
The affected versions of OpenSSL are OpenSSL 1.0.1 through 1.0.1f (inclusive). Later versions (1.0.1g and ulterior) and previous versions (1.0.0 branch and older) are not vulnerable.Installations of the affected versions are vulnerable unless OpenSSL was compiled with OPENSSL_NO_HEARTBEATS.
Older versions of OpenSSL were patched for Heartbleed in several operating systems including Debian(and derivatives such as Linux Mint and Ubuntu) and Red Hat Enterprise Linux (and derivatives such as CentOSand Amazon Linux ).
Vulnerable program and function
The vulnerable program source files are t1_lib.c and dl_both.c and the vulnerable functions are tls1_process_heartbeat() and dtls1_process_heartbeat().
Patch
The bug is classified as a buffer over-read, a situation where software allows more data to be read than should be allowed. The problem can be fixed by ignoring Heartbeat Request messages that ask for more data than their payload needs.
Version 1.0.1g of OpenSSL adds some bounds checks to prevent the buffer over-read. For example, the following test has been added, which discards the Heartbeat Request preventing a reply from being constructed if it would trigger the Heartbleed:
if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0; /* silently discard per RFC 6520 sec. 4 */
A complete list of changes is available at git.openssl.org.
Although patching software (the OpenSSL library and any statically linked binaries) fixes the bug, running software will continue to use its in-memory OpenSSL code with the bug until each application is shut down and restarted, so that the patched code can be loaded. Further, in order to regain privacy and secrecy, all private or secret data must be replaced, since it is not possible to know if they were compromised while the vulnerable code was in use:
all possibly compromised private key-public key pairs must be regenerated,
all certificates linked to those possibly compromised key pairs need to be revoked and replaced, and
all passwords on the possibly compromised servers need to be changed.
Vulnerability testing services
Several services have been made available to test whether Heartbleed affects a given site. However, many services have been claimed to be ineffective for detecting the bug.The available tools include:
AppCheck - static binary scan, from Codenomicon
Tripwire SecureScan
Arbor Network's Pravail Security Analytics
Norton Safeweb Heartbleed Check Tool
Heartbleed testing tool by a European IT security company
Heartbleed Scanner by Italian cryptologist Filippo Valsorda
Heartbleed Vulnerability Test by Cyberoam
Critical Watch Free Online Heartbleed Tester
Metasploit Heartbleed scanner module
Heartbleed Server Scanner by Rehmann
Lookout Mobile Security Heartbleed Detector, an app for Android devices that determines the OpenSSL version of the device and indicates whether the vulnerable heartbeat is enabled
Heartbleed checker hosted by LastPass
Online network range scanner for Heartbleed vulnerability by Pentest-Tools.com
Official offline scanner in Python written by Stafford, Jared (2014-04-14). "heartbleed-poc.py". From Red Hat, Inc.
Qualys SSL Labs' SSL Server Test which not only looks for the Heartbleed bug, but can also find other SSL/TLS implementation errors.
Browser extensions, such as Chromebleed and FoxBleed
SSL Diagnos
CrowdStrike Heartbleed Scanner - Scans routers, printers and anything else connected inside a network including intranet web sites.
Other security tools have added support for finding this bug. For example, Tenable Network Security wrote a plugin for its Nessus vulnerability scanner that can scan for this fault.The Nmap security scanner includes a Heartbleed detection script from version 6.45.
Sourcefire has released Snort rules to detect Heartbleed attack traffic and possible Heartbleed response traffic.Open source packet analysis software such as Wireshark and tcpdump can identify Heartbleed packets using specific BPF packet filters that can be used on stored packet captures or live traffic.
The Security Certificate Revocation Awareness Test tests whether a web browser allows a user to visit a web site that uses a revoked SSL certificate.[relevant? – discuss] According to Netcraft, "only 30,000 of the 500,000+ SSL certificates affected by the Heartbleed bug have been reissued up until today, and even fewer certificates have been revoked."
No comments:
Post a Comment