Anatomy of Heartbleed Bug


By Nilanjan De
There has been a lot of buzz about Heartbleed[1] in the news recently. In this blog post, we have tried to put together the important things that one should know about Heartbleed.

What is Heartbleed?

Heartbleed is the popular name given to the recently found vulnerability(CVE-2014-0160) in OpenSSL – an open-source encryption library. More specifically, this is a bug in the OpenSSL Heartbeat protocol which results in a vulnerable server to leak or bleed confidential content in its memory space (and hence the name ‘Heartbleed’).

What’s Heartbleed bug?

OpenSSL is the most popular open-source library providing implementations of various cryptographic functions and SSL/TLS protocols. The SSL protocol has a feature called “Heartbeat” using which a client can check whether its connectivity to the server is still present or not. This avoids the overhead of setting up a new SSL connection and thus saves processing power and improves performance. This is done by sending a Heartbeat request with a small payload (data) and the size of the data which is then sent back by the server. (somewhat similar to ICMP echo and reply)

(Read More: 3 Reasons why Automated Vulnerability Scanning does not work)

Unfortunately, some versions of OpenSSL, do not actually check the size of the string sent by the client and trust on the client provided size and sends back the response by copying the block of memory as per the size provided by the client. This can be misused by any rogue client who can request a Heartbeat response with a size more than what it sends as shown in the below comic and thus read a lot bigger chunk of memory (upto 65536 bytes) than it requested. Since OpenSSL handles encryption and decryption, in many cases, the memory may contain confidential plaintext for example usernames, passwords, emails or cryptographic keys which can allow an attacker to decrypt any encrypted traffic encrypted using the key. The bug even affects vulnerable clients which may be attacked by rogue servers.

(Read More: Bypassing Captcha using Python and Tesseract OCR engine)

XKCD has nicely summarized the Heartbleed bug in the following comic in layman terms.

You may also check this video to understand how the attack works.

Download Free Checklist: How to assess your Penetration Testing Vendor?

Who are at risk?

OpenSSL versions 1.0.1 to 1.0.1f(both inclusive) are VULNERABLE

OpenSSL version 1.0.1g is NOT VULNERABLE OpenSSL branch 1.0.0 and 0.9.8 are NOT VULNERABLE

If you are running a vulnerable version of OpenSSL as listed above, you are vulnerable and should immediately take steps to mitigate the risk.

In case you are not sure about your OpenSSL version, you can check your site using the Netcraft browser plugin.

Alternately, you may check your site here or here.

Another option is to run your favourite Vulnerability Assessment tool against your site or get it tested by us or any other Penetration testing vendor.

(Read More: Challenges in automated testing of session management)

What is the fix?

In case you find that your servers are vulnerable to Heartbleed bug, you should do the following:
1.Upgrade to the latest OpenSSL version and any other packages which may have been compiled/linked with OpenSSL. If upgrading is not possible, you need to recompile the older version of OpenSSL using the compile time option -DOPENSSL_NO_HEARTBEATS in order to mitigate the vulnerability.
2.Stop all the affected services.
3.Revoke old certificates and keys and generate new ones.
4.Restart all the affected services
5.Understand your application profile and change any other critical information which you suspect may have been leaked. For example, change all application passwords or force your users to change their passwords at next login.

Note: You need to do the above in the exact order as specified.

For more information, check the official Heartbleed Bug site[2]

(Read More: REST APIs and Next Generation Threats: Part 1)

References:

[1] “Heartbleed – Wikipedia, the free encyclopedia.” 2014. 29 Apr. 2014 <http://en.wikipedia.org/wiki/Heartbleed>

[2] “Heartbleed Bug.” 2014. 29 Apr. 2014 <http://heartbleed.com/>