The heartbleed bug has been hanging around (in-the-wild) for more than two years and according to Netcraft, affects 17% of SSL web servers that use certificates issued by trusted certificate authorities. This bug is only present in OpenSSL 1.01 to 1.01f and exists in OpenSSL’s implementation of the heartbeat extension where an attacker could force the Openssl server to read arbitrary memory locations:
In other words, an attacker can control the heartbeat size and structure it to be larger than expected, fire it off to the target server using TCP on port 443 and receive a response that contains up to 64kb data in a memory allocation outside the bounds of what the heartbeat should be able to access. Do it again with a different heartbeat size, get another 64kb response from another memory space. Lather, rinse, repeat. Easy peasy. — Troyhunt.com
Heartbleed: A Quick and Dirty
The Krebs On Security blog has a nifty Quick and dirty on what you can do about the Heartbleed bug here. Krebs also gives the following advice prior to changing your password:
For this reason, I believe it is a good idea for Internet users to consider changing passwords at least at sites that they visited since this bug became public (Monday morning). But it’s important that readers first make an effort to determine that the site in question is not vulnerable to this bug before changing their passwords.
His blog also provides resources so that you can test to see if a site is vulnerable.
Heartbleed.com has the best rundown of what, why and how it all happened.
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
NakedSecurity gives an awesome rundown: Anatomy of a data leakage bug – the OpenSSL “heartbleed” buffer overflow
The bug only exists in the OpenSSL 1.0.1 source code (from version 1.0.1 to 1.0.1f inclusive), because the faulty code relates to a fairly new feature known as the TLS Heartbeat Extension.
For those who operate websites, this one is for you: What should a website operator do about the Heartbleed OpenSSL exploit?
There is more to consider than just new certificates (or rather, new key pairs) for every affected server. It also means:
- Patching affected systems to OpenSSL 1.0.1g
- Revocation of the old keypairs that were just supersceded
- Changing all passwords
- Invalidating all session keys and cookies
- Evaluating the actual content handled by the vulnerable servers that could have been leaked, and reacting accordingly.
- Evaluating any other information that could have been revealed, like memory addresses and security measures
Schneier on Security says that Heartblood is a catastrophic bug in SSL:
Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory — SSL private keys, user keys, anything — is vulnerable. And you have to assume that it is all compromised. All of it…”Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.
MIT Technology Review states that Many Devices Will Never Be Patched to Fix Heartbleed Bug:
Cable boxes and home Internet routers are just two of the major classes of devices likely to be affected, says Lieberman. “ISPs now have millions of these devices with this bug in them”.
The same issue likely affects many companies, because plenty of enterprise-grade network hardware and industrial and business automation system also rely on OpenSSL, and those devices are also rarely updated. Large-scale scans of Internet addresses have previously uncovered hundreds of thousands of devices, ranging from IT equipment to traffic control systems, that are improperly configured or have not been updated to patch known flaws (see “What Happened When One Man Pinged the Whole Internet”).
In A Nutshell
If you change your password on every site that you login to now, and the service hasn’t been patched yet, you will just have to do it all over again after the service is patched. So, do yourself a favor and take the Heartbleed test first. Be doubly sure to check out those shopping sites too (before you input your credit card information). There is also a Chromebleed extension available, though it does sometimes give a false-positive response. If it tests positive – be sure to double-check the site with the Heartbleed test.
If the site is vulnerable it will look like this:
This has been a Tekblog Quick and Dirty Heartbleed in a nutshell – over and out for now.