Introduction
Since the last few days, Heartbleed trending on the internet and saying to the internet, I am evil. People are calling this bug as "Biggest Security Threat" to the internet. Some Websites called this bug "Catastrophic".
I was gawked to know that I was not safe since 2011 December since OpneSSL included Heartbeat Extension.
Background
This heartbleed bug is on the internet since 2011 December and it got fixed a week ago. First, it was found by Google Security team member NEEL MEHTA and a software firm called CODENOMICON. Codenomicon took the initiative about this bug and created a website for the information and solution of this bug, i.e., http://heartbleed.com.
Before diving into HeartBleed, I would like to tell you about why we need SSL (Secure Socket Layer) also known as TSL (Transport Security Layer).
Usually, we send the password, personal details, credit card details, selfie pics, social media posts over the internet .
To encrypt such details, we used HTTPS. To ensure any malicious person cannot intercept these details, we use OpenSSL, which is an open source software for the implementation of SSL on the web.
But all the SSL implemented HeartBeat extensions are vulnerable to HeartBleed. Through HeartBeat extension attacker can read the client/server memory (64KB at a time) .
What is Heartbeat Extension?
OpenSSL introduced an extension Heartbeat to keep the session alive for a longer time and to avoid reestablishment of sessions. Heartbeat introduced in OpenSSL with its 1.0.1 build release as defined in the RFC 6520 TLS/DTLS Heartbeat Extension. Heartbeat messages can be sent without authenticating with the server. For every request, there might be a Heartbeatrequest and a Heartbeatresponse.
What is Heartbleed?
YAY, you got the nerve - "Vulnerability in Hearbeat causes Heartbleed".
Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.
Are You Heartbleed Vulnurable ?
People have created the malicious script for heartbeat request and created many online checkers. Following are the websites where you can test whether your website is Heartbleed vulnerable or not.
How to Exploit Heartbleed Attack?
There are many available ways to exploit Heartbleed. Everyone has their proof of concepts.
Some of the ways that I liked are listed below:
Basically, using the idea of Heartbeat, a client can send a
Heartbeatrequest
and the server will have to respond with
Heartbeatresponse
.
The total length of a HeartbeatMessage(request/response)
canNOT exceed 2^14 or max_fragment_length
when negotiated as defined in [RFC6066]. So we are only able to leak 64 KB of memory and that could easily have usernames/password or any random information.
Which OpenSSL Versions are Vulnerable and Who is vulnerable to Heartbleed ?
Heartbleed is only exploited where vulnerable OpenSSL software has been installed. Vulnerable versions are:
- 1.0.1
- 1.0.1a,
- 1.0.1b,
- 1.0.1c,
- 1.0.1d,
- 1.0.1e,
- 1.0.1f,
- 1.0.2-beta1
OpenSSL is installed mostly on the Apache servers and nginx servers. According to Netcraft, half a million trusted websites are vulnerable to this Heartbleed Bug. Image Courtsey Netcraft : LINK
Are Windows Server Safe ?
Being a .NET developer, this is the first thing that came into my mind. Are the websites developed by me and deployed on the Windows server using IIS safe?
According to Microsoft, they do not include OpenSSL and are not vulnerable to this Heartbleed. Microsoft has their own encryption component called SChannel (Abbreviated as Secure Channel). But those clients which are running softwares on OpenSSL instead of Schannel are vulnerable to this threat.
Solutions to Prevent Heartbleed Attack
Upgrade Your OpenSSL
Apply an upgrade to OpenSSL 1.0.1g. Contact your software vendor to apply an update for this.
Things to remember:
- Regenerate your secret keys (There might be a possibility that attacker already hacked your current secret key).
- Ask your users to change the password (I have received the official mail request from tumblr to change password).
Disable Heartbeat from Current Installed SSL
Steps to do it:
- Recompile your OpenSSL with the
-DOPENSSL_NO_HEARTBEATS
flag. - Restart your Apache and nginx server to effect the above command.
I hope you liked this simple and straightforward article. I have a lot of insight about this bug. We can have a healthy discussion here regarding this bug.
References and Further Readings