by Sharath Unni HEARTBLEED Bug
May 06, 2015
by Sharath Unni
HEARTBLEED Bug
Contents
Introduction to HTTP
Why HTTP over SSL?
Discovery of heartbleed
OpenSSL heartbeat extension
What exactly is bleeding?
Protecting against heartbleed attacks
A quick demo
A typical HTTP communication
• I would like to open a connection
• GET <file location>
• Display response
• Close connection
• OK
• Send page or error message
• OK
Client Server
Clear-text protocols
When packages of data are sent out over the internet – a lot more
can happen than you think!
Need for encryption SSL/TLS
Provides authentication, confidentiality and integrity.
Asymmetric encryption for key exchange (Public and Private keys)
Pre-shared secret key between the client and server
SHARED secret key – ensures that the message is private even if it is intercepted.
OpenSSL - open source implementation of SSL and TLS protocols
Discovery of Heartbleed The bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team on April 1, 2014
Massive SSL bug impacts Internet and its users
According to Netcraft’s survey about 17.5% of SSL sites had heartbeat extension enabled (half a million)
Affected versions - 1.0.1 and 1.0.2-beta including 1.0.1f and 1.0.2-beta1 (since March 2012)
Apache and nginx servers typically run OpenSSL implementations
SSL heartbeat
SSL heartbeats are defined in RFC6520
Similar to Connection Keep-alive in HTTP
They can be sent without authenticating with the server
A heartbeat is a message that is sent to the server just so
the server can send it back. This lets a client know that
the server is still connected and listening.
OpenSSL HeartBeat
Heartbleed (CVE-2014-0160)
The vulnerability lies in the implementation of Heartbeat
The memory is allocated from the payload + padding
which is a user controlled value. (Buffer over-read)
OpenSSL heartbeat
So what if we can read the memory?
Metasploit extract of memory dump
Metasploit extract of memory dump
Protecting Private keys
What can we do about it?
Remove the HeartBeat extension
Upgrade to OpenSSL 1.0.1g
Revocation of the old key pairs
Force users to change their passwords
User awareness