Heartbleed

Heartbleed

This is an apocalypse. The world is on fire. The sky is falling. Everything you hold sacred has now turned to dust.

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

Heartbleed

Earlier today, a bunch of security researchers unleashed CVE-2014-0160 (CODENAME: Heartbleed) into the world. It is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). It powers about 66% of internet connected devices. I can guarantee that everyone who uses the internet would use it at some point in their day to day activities.

What’s frightening is that this bug has been around for more than 2 years. It is extremely likely that it has been exploited by multiple intelligence agencies and blackhats. Exploitation of this bug also leaves no traces of anything abnormal happening in the logs.

Note that both servers and clients are affected. This means that a malicious server could dump the secrets in your client’s memory without you knowing.

In short, the vulnerability disclosed allows an attacker to read the memory of the affected system. Memory is where an attacker would find passwords and private keys as well as other decrypted and sensitive information.

Don’t understand the severity of this problem? Imagine walking up to any stranger and saying “Hey, how’s it going?”. Immediately, he/she will share with you whatever was on their mind at that point in time. It could likely be a private thought, a secret they do not want anyone else to know about. You could keep asking as many times as you wanted and the stranger would tell you new things each time. On top of that, the stranger would not have a clue of it occuring.

As an end user, there’s nothing much you can do. Except, turn the internet off and go for a walk until the bug is patched. Do not use any web services that are vulnerable as they may leak your username and password, or worse, credit card information. More importantly, do not visit sites that you do not trust.

Change your passwords and API keys only after web services fix the issues. Prematurely changing them could be riskier than leaving them unchanged. Information used most recently are the ones being leaked. For example, private keys are leaked on the first request after a restart.

If you own a server that runs OpenSSL, here’s a list of things you should do.

  1. Update OpenSSL. Your distribution most likely would have patched and tested the package.
  2. Recompile everything that is linked to the old version of OpenSSL. Pacakges such as Nginx and Ruby do so and you’ll have to recompile them.
  3. Reboot the server. Ensure everything is running on the patched version.
  4. Generate a new private key, Certificate Signing Request (CSR) and get a new certificate. Consider your old keys compromised and revoke them. Get a brand new set.
  5. Change any passwords you use on the servers. Passwords are kept in memory and could have been leaked.
  6. Generate and switch to a new secret if you’re using cookie based sessions in Sinatra or other web frameworks. Expire all active user sessions.
  7. Get your users to change their passwords. Passwords should be considered compromised as the server leaks memory and past traffic can be decrypted.
  8. Check your SSL configurations. Don’t support older protocols and broken SSL ciphers. Enable Perfect Forward Secrecy (PFS) and HTTP Strict Transport Security (HSTS). You can also choose to cache SSL sessions for improved performace.

Some PoCs have since been released.

Stanley Tan
@stnly