Heartbleed

Myself

• Mohammed Danish Amber

• Working as Database Security Administrator

• Tata Consultancy Services

• CEH &CHFI

• Collabarative Project on Hacker EcoSystem

Agenda

• What is Heartbleed

• How it works and Usage in OpenSSL Library

• What was the mistake in code

• What is CVE-2014-0160

• How it can be exploited

• The Mechanism

• How to protect yourself

What is Heartbleed

• The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

Heartbleed

• The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Heartbleed

• A fixed version of OpenSSL was released on April 7, 2014, on the same day Heartbleed was publicly disclosed.

• At that time, some 17 percent (around half a million) of the Internet's secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers' private keys and users' session cookies and passwords.

Heartbeat

• The Heartbeat Extension for the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols was proposed as a standard in February 2012 by RFC 6520. It provides a way to test and keep alive secure communication links without the need to renegotiate the connection each time.

Heartbeat

• In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at the University of Duisburg-Essen, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL, his change was reviewed by Stephen N. Henson, one of OpenSSL's four core developers. Henson apparently failed to notice a bug in Seggelmann's implementation, and introduced the flawed code into OpenSSL's source code repository on December 31, 2011. The vulnerable code was adopted into widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable by default.

Discovery

• According to Mark J. Cox of OpenSSL, Neel Mehta of Google's security team reported Heartbleed on April 1, 2014.

• The bug was named by an engineer at Codenomicon, a Finnish cybersecurity company, which also created the bleeding heart logo, and launched the domain Heartbleed.com to explain the bug to the public.

• According to Codenomicon, Neel Mehta first reported the bug to OpenSSL, but both Google and Codenomicon discovered it independently.

• Codenomicon reports April 3, 2014 as their date of discovery of the bug and as their date of notification of NCSC-FI (formerly known as CERT-FI) for vulnerability coordination.

• The Sydney Morning Herald published a timeline of the discovery on April 15, 2014, which shows that some of the organizations were able to patch against the bug before its public disclosure. In some cases, it is not clear how they found out.

Code patch

• On March 21, 2014 Bodo Moeller and Adam Langley of Google wrote a patch that fixed the bug. The date of the patch is known from Red Hat's issue tracker.

• As of May 8, 2014, 318,239 of the public web servers remained vulnerable.

How it works & Usage in OpenSSL Library

Heartbleed Request

Payload Padding

DATA SIZE

Payload Size

Data+???????????

??????????????????

??????????????????

??????????????????

??????????????????

??????????????????

??????????????????

??????????????????

??????????????????

Server Alive Check through Heartbeat

CVE-2014-0160

• CVE-2014-0160 is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names maintained by MITRE.

The Mistake

• Is this a design flaw in SSL/TLS protocol specification?

• No. This is implementation problem, i.e. programming mistake in popular OpenSSL library that provides cryptographic services such as SSL/TLS to the applications and services.

How to protect yourself.

• Uprade Your Server;

• Update your SSL Library

• Change your password

• Change your Private & Public Keys

• Change your security settings and and its details

DEMO

• Scanning Using NMAP to check, is Server is Vulnerable to HeartBleed

• Setting a Hearbeat Session, with Heartbleed Payload

• Using ngrep to find Username, Password, Keys from the decrypted Heartbeat (HeartBleed Payload) datas.

Refrences

• Heartbleed.com

• Wikipeadia

• Nmap

• exploit-db

Thank You

• Mohammed Danish Amber

• Email : me@mohammeddanishamber.com