Heartbleed
Summary
This page explains the background information of the "Heartbleed" bug. The purpose of this documentation is not to guide attackers to reproduce the heartbleed attack, it should only highlight the functionality. See Heartbleed Attacks for two demonstrations of the Heartbleed exploit.
Requirements
- Webserver e.g. (nginx / apache)
- OpenSSL between version 1.0.1 and 1.0.1f (Download from https://github.com/openssl/openssl/branches/all)
Background
- HTTP communication usually takes place over TCP/IP connections.
- TCP is reliable, but a continuous data exchange is needed.
- HTTPS Websites are encrypted with SSL.
- The Webserver has available sockets which allows connections to clients.
- Webserver have timers, after a set time of x - seconds the session gets closed if the client is inactive.
- To keep the session alive, the web-browser sends heartbeat requests which are processed by the server.
- Heartbleed has been classified as a Buffer Overflows vulnerability.
Heartbeat
- Is an extension first implemented in OpenSSL in 2012 [1].
- Special data package.
- Possible size: 16 Bytes < Heartbeat Message < 64Kb.
- “Heartbeat Requests” are sent from Webbrowser to Webserver to keep the session alive.
- The server answers with a “Heartbeat Respond” which contains the exact same dataset.
Example
Web browsers (client) sends a length and a message
- Web browser sends message with length 5: ‘hello’
- Web server responds with the exact same message : ‘hello’
Heartbleed (CVE-2014-0160)
- Vulnerable code written by a German graduate student in 2011, approved by a British consultant [2].
- Heartbleed discovered in 2014 by a Neel Mehta, a member of Google's security team [2].
- The heartbeat request can be executed multiple times in a row.
- Rebuilds a picture of the attacked web server's RAM.
Example
- Web browser sends message with length 65536: ‘hello’
- The server reads a full 64 KiB from memory and sends it to the client
- Web server allocates a dataslot of 64 KiB and copies the message ‘hello’ in the first place. The rest of the 65536 - ‘hello’ size is appended with data retrieved from its RAM
- The web server responds with the filled 64 KiB dataslot (including content of RAM)
Consequences
The greatest obstacle with the Heartbleed bug is that the exploitation does not leave any trace or any peculiar indication behind. Consequently, the abuse of the security hole cannot be detected. [3]
Due to the fact that half a million sites were or are vulnerable, it is possible that a number of websites to this day have not been patched and are thus still vulnerable to the Heartbleed exploit. [4]
The only way to prevent further damage and to mitigate the vulnerability is to upgrade OpenSSL to the fixed version or to recompile OpenSSL with the handshake removed from the code. [3]
A great asset which built out of this situation, is that service providers that suffered from the Heartbleed Bug updated software in use and enhanced their security. [3]
A specific case of the Hearbleed exploitation occurred in Canada where a teenager had stolen 900 social security numbers in a matter of hours [5].
Moreover, Heartbleed lead to more conspiracy theories about the NSA, as anonymous sources have claimed that the NSA had been exploiting the vulnerability for two years prior to the public announcement [6].
Solution for the Heartbleed bug
The solution for the Heartbleed bug was to patch OpenSSL to the 1.0.1g version. The patch included a bounds check which uses the right record length in the SSL3 structure that declared the incoming HeartbeatMessage [7].
Solution for individuals
As consumers of web services, the vast majority of the responsibility lies with the provider of the service. Nevertheless, changing passwords in the case of a frequently visited website being exploited is strongly recommended. It is advised to always use different passwords for different services. The habit of using a password manager is profitable [7].
Solution for businesses
Since this vulnerability leaves no trace, it is advised to set precautions. The first step to approach is to patch the system and regenerate any SSL certificates. Consumers shall be encouraged to change their passwords. An ever more effective path would be to force a password change. As this bug is to be taken very seriously, it is crucial to take the corresponding steps to protect consumers as a responsible business. In case of concern that your servers and internal information may have been leaked, an additional step would be to undergo a security assessment. [7]
Secure Coding Practices
In order to prevent similar mistakes and vulnerabilities, OWASP provides numerous guides about secure coding practices, including checklists for input validation, session management, data protection, error handling and logging, etc. [8].
Similarities to Cloudbleed
Cloudbleed was a major security bug discovered in 2017 within the infrastructure of the major IT company Cloudflare. This bug, much like Heartbleed, exposed sensitive information due to a buffer overflow issue, caused by a human error in the code. The leakage occurred under certain circumstances involving certain HTML content and Cloudflare features. Much like Heartbleed, Cloudbleed demonstrated the possibility of human error in critical software [9] [10].
References
- ↑ R. Seggelmann, M. Tuexen, M. Williams Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension https://www.rfc-editor.org/rfc/rfc6520.html (accessed December 13, 2024).
- ↑ Jump up to: 2.0 2.1 Bruce Schneier The Human Side of Heartbleed https://www.schneier.com/blog/archives/2014/06/the_human_side_.html. (accessed December 22, 2023).
- ↑ Jump up to: 3.0 3.1 3.2 I. h. Synopsys The heartbleed bug https://heartbleed.com/. (accessed October 9, 2022).
- ↑ B. Schneier, Heartbleed, https://www.schneier.com/blog/archives/2014/04/heartbleed.html/. (accessed October 11, 2022).
- ↑ Heise, Daniel AJ Sokolov Heartbleed: Datendiebstahl beim kanadischen Finanzamt https://www.heise.de/news/Heartbleed-Datendiebstahl-beim-kanadischen-Finanzamt-2169832.html. (accessed December 22, 2023).
- ↑ Bruce Schneier More on Heartbleed https://www.schneier.com/blog/archives/2014/04/more_on_heartbl.html. (accessed December 22, 2023).
- ↑ Jump up to: 7.0 7.1 7.2 R.S.Labs, How the heartbleed bug affects you, https://rhinosecuritylabs.com/research/how-heartbleed-affects-you/. (accessed December 22, 2023).
- ↑ OWASP, OWASP Secure Coding Practices-Quick Reference Guide, https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/ (accessed December 22, 2023).
- ↑ Cloudflare, Incident report on memory leak caused by Cloudflare parser bug, https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/. (accessed December 22, 2023).
- ↑ Cloudflare, Quantifying the Impact of "Cloudbleed", https://blog.cloudflare.com/quantifying-the-impact-of-cloudbleed/. (accessed December 22, 2023).