Just one day before of Windows XP end of life, the vulnerability with CVE-2014-0160 was published. A lot of blogs have talked about the OpenSSL vulnerability called "Heartbleed Bug". A lot of security administrators have spent our last days focused on patching this security issue... I believe everything has been already said...

In this post, I'd like to write a brief summary about what has happened with that really interesting and critical topic.

The BUG description

These were some of the sentences written by OpenSSL about the BUG in their web site.

"A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server."

"Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS."

So... Someone could steal information from our servers/clients thanks this bug...

But... what is the heartbeat?

That is what the RFC 6520 says about the heartbeat:

"DTLS is designed to secure traffic running on top of unreliable transport protocols. Usually, such protocols have no session management. The only mechanism available at the DTLS layer to figure out if a peer is still alive is a costly renegotiation, particularly when the application uses unidirectional traffic.  Furthermore, DTLS needs to perform path MTU (PMTU) discovery but has no specific message type to realize it without affecting the transfer of user messages.

"TLS is based on reliable protocols, but there is not necessarily a feature available to keep the connection alive without continuous data transfer."

"The Heartbeat Extension as described in this document overcomes these limitations.  The user can use the new HeartbeatRequest message, which has to be answered by the peer with a HeartbeartResponse immediately. To perform PMTU discovery, HeartbeatRequest messages containing padding can be used as probe packets, as described in [RFC4821]."

So to avoid renegotiating the secure session continuously (which has a direct impact in the the server performance), Heartbeat was designed to say... "Hey!! Are  you still there?? This session is not finished yet!!!"

How the vulnerability works?

As mentioned above, the security problem resides in the heartbeat. There are hundreds of explanations about this security problem... I've found the picture bellow which describes really well how to take advantage of this vulnerability. It couldn't be explained better.

Click on the picture

POC in the server side

So, are we really able to get 64kb from the memory of a remote server in an easy way? The answer is... YES!!!

Just download the exploit from here and execute it against a vulnerable server and you will see the 64kb from the memory of the server. Sometimes we will get nothing interesting...


... sometimes we will get the usernames and passwords in clear text like you will see in the picture bellow. This image came from a guy who detected that login.yahoo.com was vulnerable to this bug.


I've been testing my vulnerable servers executing the exploit in a loop each second and I was able to get a lot of usernames and password and really interesting information from these vulnerable servers.

Did you think about 64KB of memory RAM weren't enough to steal valuable information?

 POC in the client side

So, are we really able to get 64kb from the memory of a remote client in an easy way? The answer is... YES!!!

Pacemaker is a script written in Python to attempts to abuse OpenSSL clients that are vulnerable to Heartbleed (CVE-2014-0160). When pacemaker.py is executed, it starts to listen in 4433/TCP port by the default. To try to test if a client is vulnerable, just make a connection to this port. If it is vulnerable, you will see a memory dump of 64kb from your client like in the picture bellow.

Example: wget -O /dev/null https://google.com https://localhost:4433


If the client is not vulnerable,  the tool will print something like you can see in this image.

Affected versions

Servers

Any server using OpenSSL 1.0.1 through 1.0.1f (inclusive) is vulnerable.

These versions are not vulnerable.
  • OpenSSL 1.0.1g
  • OpenSSL 1.0.0 branch
  • OpenSSL 0.9.8 branh

Be aware with appliances which have OpenSSL installed like VPN-SSL devices, Firewalls, etc... They could be vulnerable too. Here you can get more info about some of them.

Clients

The list bellow will show you some vulnerable clients tested by Pacemaker.
  • MariaDB 5.5.36
  • wget 1.15 (leaks memory of earlier connections and own state)
  • curl 7.36.0 (https, FTP/IMAP/POP3/SMTP with --ftp-ssl)
  • git 1.9.1 (tested clone / push, leaks not much)
  • nginx 1.4.7 (in proxy mode, leaks memory of previous requests)
  • links 2.8 (leaks contents of previous visits!)
  • KDE 4.12.4 (kioclient, Dolphin, tested https and ftps with kde4-ftps-kio)
  • Exim 4.82 (outgoing SMTP)

What should I do?

  1. Detect all your vulnerable servers.
  2. Upgrade your OpenSSL to 1.0.1g version.
  3. Your private keys could have been stolen. Acquire new key certificates, revoke your old ones and install the new ones.
  4. The password of your users could have been stolen. Force them to change them.
  5. Inform your customers if you have been vulnerable.
  6. Beware of the inevitable phishing campaigns.
  7. Deploy signatures in your IDS/IPS to detect how many times you are been attacked.
  8. Detect if you have been compromised.

The OpenSSL Bug timeline

04/07/2014 17:30 UTC It was published the security issue by OpenSSL here.

04/07/2014 18:00 UTC The website "Heartbleed.com" was published.

04/07/2014 19:00 UTC OpenSSL released a new version "openssl-1.0.1g".

04/08/2014 Filippo Valsorda published an open source Heartbleed test

04/09/2014 The exploit "OpenSSL TLS Heartbeat Extension - Memory Disclosure - Multiple SSL/TLS versions" was published.

04/09/2014 The module for Metasploit appeared.

04/09/2014 A script for Nmap was released.

04/09/2014 A stable version of Pacemaker was published.

04/10/2014 The website reverseheartbleed.com was created.