Monday afternoon, the IT world got a very nasty wakeup call, an emergency security advisory from the OpenSSL project warning about an open bug called “Heartbleed.” The bug could be used to pull a chunk of working memory from any server running their current software. There was an emergency patch, but until it was installed, tens of millions of servers were exposed. Anyone running a server was suddenly in crisis mode.
If the “Heartbleed” name sounds dramatic, this bug seems to live up to the hype. It’s already far worse than the GoToFail bug that embarrassed Apple earlier this year, both by the scale of computers affected and the depth of the breach. The new bug would let attackers pull the private keys to the server, letting attackers listen in on data traffic and potentially masquerade as the server. Even worse, it’s old: the bug dates back two years, and it’s still unclear how long anyone’s known about it.
OpenSSL isn’t widely known outside of the coding world, but as many as two out of three servers on the web rely on its software. The sudden reveal means anyone involved is now scrambling for a fix. Already, Yahoo has been exposed by the bug, and experts have advised any Yahoo users to steer clear of their accounts until the company has time to update their servers. (A Yahoo representative tells The Verge the core sites are now patched, although the team is still working to implement the fix across the rest of the site.) Dozens of other smaller companies have also reportedly been affected, including Imgur, Flickr, and LastPass (although LastPass says no unencrypted data was exposed). “It is catastrophically bad, just a hugely damaging bug,” says ICSI security researcher Nicholas Weaver.
Discovered by Google researcher Neel Mehta, the bug allows an attacker to pull 64k at random from a given server’s working memory. It’s a bit like fishing — attackers don’t know what usable data will be in the haul — but since it can be performed over and over again, there’s the potential for a lot of sensitive data to be exposed. The server’s private encryption keys are a particular target, since they’re necessarily kept in working memory and are easily identifiable among the data. That would allow attackers to eavesdrop on traffic to and from the service, and potentially decrypt any past traffic that had been stored in encrypted form.
For most privacy tools relying on OpenSSL, the takeaway is catastrophic. A blog post from the Tor Project told users, “if you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle.” In many cases, a few days may not be enough. It will give services time to patch their servers, but if any private keys were compromised before the patch went up, it would give attackers free rein in the months to come. Servers can reset their certificates, but it’s slow and expensive, and experts suspect many of them may simply assume the patch is enough. “I bet that there will be a lot of vulnerable servers a year from now,” Weaver says. “This won’t get fixed.”
Apple, Google and Microsoft appear to be unaffected, along with the major e-banking services. Yahoo, on the other hand, was affected and leaking user credentials for a significant portion of the day before its core sites were fixed. More generally, any server running OpenSSL on Apache or Nginx will be affected, which implicates a huge variety of everyday websites and services.
For now, there are a few ways users can tell which services are safe — but the news isn’t reassuring. This site, built by developer Filippo Valsorda, offers a spot-check as to which services are currently unpatched, but the site’s code is also producing false negatives, so it shouldn’t be taken as definitively ruling anything out. Any patched server will also need to generate new SSL certificates to make sure attackers can’t use keys that were exposed in the breach. To check, use an SSL tracker like this one and look for a certificate’s “issued on” date, which should be dated after the recent patch. Resetting the certificates will take time and money, but if a compromised site keeps using a compromised certificate, they’ll be leaving themselves open to an attack.
It’s still early to tell what larger changes will be made as a result of the breach, but some lessons are already clear. Despite the vast infrastructure relying on OpenSSL, the open-source project is comparatively underfunded, and some experts have already called for more donations to the project to prevent vulnerabilities like Heartbleed from slipping through the cracks. Perfect Forward Secrecy could also have limited the damage from the bug, preventing decryption after the fact.
But the most troubling lesson might be how hard vulnerabilities are to discover, and how damaging they can be once fully revealed. “These are really subtle bugs,” Weaver says. “You might detect it if you ran it through a memory checker, but this is not the kind of thing that just shows up looking at the code.” That’s a credit to Google, who was rigorous enough to discover the bug — but for anyone relying on secure software, it’s a troubling thought.
Some Comments about clarification of the posts.
- The answer to this question is “maybe”. The article here has several points wrong, one of them being that the attacker cannot select which data they are going to have leak. The flaw basically blows out a memory register and returns whatever data happens to be in the extra bytes. It could be something, or, in most cases, it could be nothing. To get useful data, you would have to flood the server with TLS “heartbeat” requests.
- As someone familiar with this tech, I’d say the author of this article did a decent job covering the main bases. The possibilities are huge. Getting a 64k chunk of random memory is pretty significant. There are just over 262,000 64k chunks in a 16GB server. An attacker can muster 262,000 requests in just a few minutes. Once the random jabs have shaken loose pretty much all the contents of the server’s memory, then the attacker can sift through the responses for the private SSL keys. The private SSL keys can be used by the attacker to imitate the host to visiting browsers, which will then submit login info. Having the server’s private SSL key can also greatly simplify a Man-in-the-middle attack on sessions that are supposed to be private between the browser and the server. Finally, the private SSL key also enables previously-captured network traffic to be fully decrypted.
- The article is confusing about what the potential leakage is. There is the potential that an attacker could get any kind of data that was loaded into memory, which makes the bug nasty. But it’s not like an attacker could just hit the server and pull everything in memory, or download a specific kind of data. They would have to send millions of heartbeat requests just to guarantee that they got any useful data. And it still wouldn’t be guaranteed.I’m not trying to downplay the seriousness of the issue, but it’s probably not likely that people need to freak out about all their data being stolen right now. The serious concern is the loss of server private keys, so people should go through the process of updating their servers and re-keying their SSL certificates to ensure that they are safe.
- No it doesn’t; it allows an attacker to see the contents of a small portion of RAM immediately following a chunk of RAM that OpenSSL uses. They have no control over what specific portion of memory it is nor what it contains; it could be anything and what it is exactly really depends on a bunch of pretty much random factors.The concern is that there is a possibility that it could contain something important (like the servers private encryption keys) which would obviously be a problem. This is where the verge article delves into sensationalist BS however they can’t write software that is essentially “push button to steal certs” this would take time and resources to exploit in any meaningful way unless the attacker was very lucky. Again, this is basically like trying to steal someone’s password by walking behind their desk hoping that they happen to be typing it in as you walk by.It’s a big deal because relying on someone not getting lucky is not a good form of security, the chances that this was exploited in a meaningful way is almost nil.
All technical knowledge about Open Ssl 1.0.1
An information disclosure vulnerability has been found, and promptly patched, in OpenSSL.
OpenSSL is a very widely used encryption library, responsible for putting the S in HTTPS, and the padlock in the address bar, for many websites.
The bug only exists in the OpenSSL 1.0.1 source code (from version 1.0.1 to 1.0.1f inclusive), because the faulty code relates to a fairly new feature known as the TLS Heartbeat Extension.
The heartbeat extension was first documented in RFC 6520 in February 2012.
TLS heartbeats are used as “keep alive” packets so that the ends of an encrypted connection can agree to keep the session open even when they don’t have any official data to exchange.
Because the heartbeats consist of a reply and a matching response, they allow either end to confirm not only that the session is open, but also that end-to-end connectivity is working properly.
Sending heartbeat requests
The RFC 6520 standard explicitly restricts the maxium size of a heartbeat request to 214 bytes (16KBytes), but OpenSSL itself generates far shorter requests.
Don’t worry if you don’t understand C; but if you do, the OpenSSL heartbeat request code looks like this:
unsigned int payload = 18; /* Sequence number + random bytes */ unsigned int padding = 16; /* Use minimum padding */ /* Check if padding is too long, payload and padding * must not exceed 2^14 - 3 = 16381 bytes in total. */ OPENSSL_assert(payload + padding <= 16381); /* Create HeartBeat message, we just use a sequence number * as payload to distuingish different messages and add * some random stuff. * - Message Type, 1 byte * - Payload Length, 2 bytes (unsigned int) * - Payload, the sequence number (2 bytes uint) * - Payload, random bytes (16 bytes uint) * - Padding */ buf = OPENSSL_malloc(1 + 2 + payload + padding); p = buf; /* Message Type */ *p++ = TLS1_HB_REQUEST; /* Payload length (18 bytes here) */ s2n(payload, p); /* Sequence number */ s2n(s->tlsext_hb_seq, p); /* 16 random bytes */ RAND_pseudo_bytes(p, 16); p += 16; /* Random padding */ RAND_pseudo_bytes(p, padding); ret = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
The reason that the code says that “payload and padding must not exceed 16381 bytes in total” is that the 16KByte (16384 byte) maximum heartbeat request size includes one byte to signal that this is a TLS1_HB_REQUEST, and two bytes to denote the length of the payload data in the request.
As the code stands, the OPENSSL_assert to verify that payload + padding <= 16381 is redundant, because the payload size is hard-wired to 18 bytes and the padding size to 16.
But the programmer has tried to do the right thing: put in the check anyway, in case someone changes those payload or padding sizes in the future without considering the consequences.
The code then transmits a heartbeat request consisting of:
- The single byte 0x01 (denoting that this is a TLS1_HB_REQUEST).
- Two bytes containing the 16-bit representation of 34 (size of payload plus padding).
- Two bytes of payload consising of a 16-bit sequence number.
- 16 bytes of random data making up the rest of the 18-byte payload.
- 16 further random padding bytes, required by the standard.
Replying to heartbeat requests
When vulnerable versions of OpenSSL 1.0.1 respond to a heartbeat request, they aren’t quite so careful in processing the received data.
Heartbeat replies are supposed to contain a copy of the payload data from the request, as a way of verifying that the encrypted circuit is still working both ways.
It turns out that you can send a small heartbeat request, but sneakily set your payload length field to 0xFFFF (65535 bytes).
Then, OpenSSL will uncomplainingly copy 65535 bytes from your request packet, even though you didn’t send across that many bytes:
/* Allocate memory for the response, size is 1 byte * message type, plus 2 bytes payload length, plus * payload, plus padding */ buffer = OPENSSL_malloc(1 + 2 + payload + padding); bp = buffer; /* Enter response type, length and copy payload */ *bp++ = TLS1_HB_RESPONSE; s2n(payload, bp); memcpy(bp, pl, payload); bp += payload; /* Random padding */ RAND_pseudo_bytes(bp, padding); r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
That means OpenSSL runs off the end of your data and scoops up whatever else is next to it in memory at the other end of the connection, for a potential data leakage of approximately 64KB each time you send a malformed heartbeat request.
This bug has been rather melodramatically named “heartbleed,” for reasons that should now be obvious.
According to the Finnish National Cyber Security Centre, the sort of data that “bleeds” when the bug is triggered varies enormously, but may includemessage contents, user credentials, session keys and even copies of a server’s own private keys.
That’s not good!
Fixing the problem
Fortunately, there’s a fix already: simply upgrade to OpenSSL 1.0.1g.
If you don’t want to or can’t do that, you can rebuild your current version of OpenSSL from source without TLS Heartbeat support, by adding -DOPENSSL_NO_HEARTBEATS at compile time.
Both of these immunise you from this flaw.
The new OpenSSL version includes a bounds check to make sure the payload length you specified isn’t longer that the data you actually sent:
/* Read type and payload length first */ if (1 + 2 + 16 > s->s3->rrec.length) return 0; /* silently discard */ hbtype = *p++; n2s(p, payload); if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0; /* silently discard per RFC 6520 sec. 4 */
The -DOPENSSL_NO_HEARTBEATS compile-time option simply omits the buggy code altogether from vulnerable versions.
The lessons to learn
If you’re a programmer, remember: always double-check the data that the other side sent you before you use it to control the operation of your own code.
And remember: buffer overflows should always be treated as serious, even if they don’t lead to remote code execution.
Data leakage bugs can be just as disastrous, as this flaw demonstrates.
For further information…
If you’d like to know more about the main sorts of vulnerablity, from RCE (remote code execution) through EoP (elevation of privilege) to Information Disclosure, please listen to our Techknow podcast, Understanding Vulnerabilities.