There has been a lot of talk both at Nettitude and all over the world over the last 24-hours regarding the Heartbleed bug. This is possibly the biggest kink in the armor of SSL ever found, due to the fact that it affects such a large portion of hosts on the internet1.
The vulnerability means that it is possible to remotely obtain a small segment of a vulnerable host’s memory by exploiting a buffer-overflow-like issue in certain versions of the OpenSSL library.
The problem with exposing a system’s memory is that there is practically nothing that isn’t held in it at some point or another; passwords, keys, documents and communications, it’s all there and can potentially be accessed by an attacker. It would be possible to compromise the authenticated areas of applications by compromising session tokens in memory, the protocols used for data management by stealing private keys or passwords, as well as the credentials used for the system itself.
The segment of memory exposed to an attacker is small (only 64-kilobytes) and seems to come in a lucky-dip fashion from the host, which makes practical exploitation far more difficult.
However, by repeating the exploit over a large period of time against a victim machine, it has been proven to be possible to gain access to targeted pieces of information. While no publically available exploit code has been found to allow targeting specific information within RAM, there are already many variations of tools made public to check a host susceptibility to this issue.
In the short time since this vulnerability has been disclosed, there has already been a wave of public tools which can assess whether a host is vulnerable:
- A website dedicated to checking if hosts are vulnerable -
- A tool for extracting website session tokens from the leaked memory -
- A module for the metasploit penetration testing Framework -
The vulnerability has existed in OpenSSL for two years prior to being exposed yesterday and whether this exploit has lain dormant or has been exploited in the wild can only be speculated.
And speculate people have. Large companies are already in the process of buying new SSL certificates and changing all their system and user passwords as a precaution, since the potential for them to have already been compromised is so high.
Also, consider the millions of devices around the world which will be vulnerable to the heartbleed attack which will now be completely redundant due to a lack of updates, or the older embedded devices such as IP cameras or home routers which will now have to sit in storage collecting dust.
For people working in the security industry and hackers alike this is one of those rare vulnerabilities which will probably be seen in hosts for a number of years.
Nettitude recommend that anyone responsible for devices which communicate data over SSL take immediate action to assess if their systems are vulnerable. Affected hosts should be updated to include the most recent, non-vulnerable, version of OpenSSL and effort should be taken to ensure that credentials used for these systems are changed. Details of the vulnerable versions of OpenSSL and more technical information can be found here: http://heartbleed.com.
Nettitude will continue to provide updates to this post as and when further information is available.
If you feel you have any security concerns with regards to this vulnerability, please contact us and we will endeavor to help protect your data and your business.
1 – Vulnerable sites in the Alexa Top10000 - https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt
To contact Nettitude's editor, please contact firstname.lastname@example.org.