by Sharath Unni

HEARTBLEED Bug

Contents

Introduction to HTTP

Why HTTP over SSL?

Discovery of heartbleed

OpenSSL heartbeat extension

What exactly is bleeding?

Protecting against heartbleed attacks

A quick demo

A typical HTTP communication

• I would like to open a connection

• GET <file location>

• Display response

• Close connection

• OK

• Send page or error message

• OK

Client Server

Clear-text protocols

When packages of data are sent out over the internet – a lot more

can happen than you think!

Need for encryption SSL/TLS

Provides authentication, confidentiality and integrity.

Asymmetric encryption for key exchange (Public and Private keys)

Pre-shared secret key between the client and server

SHARED secret key – ensures that the message is private even if it is intercepted.

OpenSSL - open source implementation of SSL and TLS protocols

Discovery of Heartbleed The bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team on April 1, 2014

Massive SSL bug impacts Internet and its users

According to Netcraft’s survey about 17.5% of SSL sites had heartbeat extension enabled (half a million)

Affected versions - 1.0.1 and 1.0.2-beta including 1.0.1f and 1.0.2-beta1 (since March 2012)

Apache and nginx servers typically run OpenSSL implementations

SSL heartbeat

SSL heartbeats are defined in RFC6520

Similar to Connection Keep-alive in HTTP

They can be sent without authenticating with the server

A heartbeat is a message that is sent to the server just so

the server can send it back. This lets a client know that

the server is still connected and listening.

OpenSSL HeartBeat

Heartbleed (CVE-2014-0160)

The vulnerability lies in the implementation of Heartbeat

The memory is allocated from the payload + padding

which is a user controlled value. (Buffer over-read)

OpenSSL heartbeat

So what if we can read the memory?

Metasploit extract of memory dump

Metasploit extract of memory dump

Protecting Private keys

What can we do about it?

Remove the HeartBeat extension

Upgrade to OpenSSL 1.0.1g

Revocation of the old key pairs

Force users to change their passwords

User awareness

Thank you!

@sharath_unni

h4xorhead@gmail.com