Heartbleed: Difference between revisions

For other uses, see Heartbleed (disambiguation).

Logo representing the Heartbleed bug. The logo and the name "Heartbleed" have contributed to public awareness of the issue.^[1][2]

Heartbleed is a software bug in the open-source cryptography library OpenSSL. At its public disclosure, on April 7, 2014, some 17 percent (around half a million) of the Internet's secure web servers certified by trusted authorities were believed to have been vulnerable to the attack, allowing theft of the servers' private keys and users' session cookies and passwords.^{[3][4][5][6][7]}

The issue is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160.^[8]

History

The vulnerability was introduced into OpenSSL's source code repository on December 31, 2011 by Dr. Stephen N. Henson, one of OpenSSL's four core developers, following a request from Dr. Robin Seggelmann, the change's author.^[9][10][11] The vulnerable code has been adopted to widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012.^{[12][13][14][15]}

On March 21, 2014 Bodo Moeller and Adam Langley of Google wrote a patch that fixed the bug. The date of the patch is known from Red Hat's Bugzilla instance.^[16] Next chronological date available from the public evidence is the claim by performance and security company known as CloudFlare that they fixed the flaw on their systems on March 31, 2014.^[17]

According to Mark J. Cox of OpenSSL, Neel Mehta of Google's security team reported Heartbleed on April 1, 2014.^[18] The bug entailed a severe memory handling error in the implementation of the Transport Layer Security (TLS) Heartbeat Extension.^[19][20] This defect could be used to reveal up to 64 kilobytes of the application's memory with every heartbeat.^[21]

The bug was named by an engineer at the firm Codenomicon, a Finnish cybersecurity company, which also created the bleeding heart logo, and launched the domain Heartbleed.com to explain the bug to the public.^[22] According to Codenomicon, Neel Mehta first reported the bug to OpenSSL, but both Google and Codenomicon discovered it independently.^[12] Codenomicon reports 3rd of April as their date of discovery of the bug and as their date of notification of NCSC-FI (formerly known as CERT-FI) for vulnerability coordination.^[12][23] Mehta also congratulated Codenomicon, without going into detail.^[24]

On April 10, "Cisco Systems and Juniper Networks, two of the biggest creators of Internet equipment, announced on Thursday that their products had been affected by the Heartbleed bug. Routers, firewalls and switches ... have all likely been affected by the bug, leaving your personal information at risk of being stolen by hackers."^[25]

On April 12, at least two independent researchers were able to steal private keys using this attack from an experimental server intentionally set up for that purpose by CloudFlare.^[26][27]

Hypothetical exploitation prior to disclosure

Based on examinations of audit logs by researchers, it has been reported that some attackers may have exploited the flaw for at least five months before discovery and announcement.^[28][29] Errata Security has partially rejected this hypothesis.^[30]

According to two insider sources speaking to Bloomberg.com, the United States National Security Agency was aware of the flaw since shortly after its introduction, but chose to keep it secret, instead of reporting it, in order to exploit it for their own purposes.^[31][32][33] The NSA has denied this claim.^[34]

Behavior

Explanation of the heartbleed bug

The Heartbeat Extension for the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols was specified by RFC 6520, dated February 2012, and was designed to provide a way to test and keep alive secure communication links without the need to renegotiate the connection each time. It allows a computer on one end of a connection to send a “Heartbeat Request” message consisting of a payload, such as a text string, along with the payload’s length as a 16-bit integer. The receiving computer then must send the same payload back to the sender.

The affected versions of OpenSSL allocated a memory buffer for the message to be returned based on the length field in the requesting message, without regard to the size of actual payload in that message. Because of this failure to do proper bounds checking, the message returned consisted of the requested payload followed by whatever else happened to be in the allocated memory buffer. The problem was compounded by OpenSSL's decision to write its own version of the C dynamic memory allocation routines. As a result, the oversized memory buffer returned to the requestor was likely to contain data from memory blocks that had been previously requested and freed by SSL. Such memory blocks may contain sensitive data sent by users or even the private keys used by SSL. In addition, by using its own memory management routines, SSL bypassed mitigation measures in many operating systems that might have detected or neutralized the bug.

The heartbleed bug is exploited by sending a malformed heartbeat request with a small payload and large length field to the server in order to elicit the server's response permitting attackers to read up to 32K bytes of server memory likely to have been used previously by SSL.^[35] Attackers in this way could receive sensitive data, compromising the security of the server and its users. Vulnerable data include the server's private master key,^[12][15] which would enable attackers to decrypt current or stored traffic via passive man-in-the-middle attack (if perfect forward secrecy is not used by the server and client), or active man-in-the-middle if perfect forward secrecy is used. The attacker cannot control which data are returned, as the server responds with a random chunk of its own memory.

The bug might also reveal unencrypted parts of users' requests and responses, including any form post data in users' requests, session cookies and passwords, which might allow attackers to hijack the identity of another user of the service.^[36] At its disclosure, some 17 percent or half a million of the Internet's secure web servers certified by trusted authorities were believed to have been vulnerable to an attack.^[37] The Electronic Frontier Foundation,^[38] Ars Technica,^[39] and Bruce Schneier^[40] all deemed the Heartbleed bug "catastrophic." Forbes cybersecurity columnist, Joseph Steinberg, described the bug as potentially "the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet."^[41]

Patch

The bug is classified as a buffer over-read,^[42] a situation where software allows more data to be read than should be allowed.^[43] The problem can be fixed by making sure no more memory is allocated than is needed to return the requested payload.

Version 1.0.1g of OpenSSL adds some bounds checks to prevent the buffer over-read. For example, the test

if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0; /* silently discard per RFC 6520 sec. 4 */

has been added in front of the line

pl = p;

A complete list of changes is available at git.openssl.org.^[44]

Although patching software (the OpenSSL library and any statically linked binaries) fixes the bug, running software will continue to use its in-memory OpenSSL code with the bug until each application is shut down and restarted, so that the patched code can be loaded. Further, in order to regain privacy and secrecy, all private or secret data must be replaced, since it is not possible to know if they were compromised while the vulnerable code was in use:^[45]

• all possibly compromised private key-public key pairs must be regenerated,
• all certificates linked to those possibly compromised key pairs need to be revoked and replaced, and
• all passwords on the possibly compromised servers need to be changed.

Vulnerability testing services

Several services were made available to test whether the Heartbleed bug was present on a given site, including:

• Heartbleed testing tool by a European IT security company^[46]
• Heartbleed Scanner by Italian cryptologist Filippo Valsorda^[47]
• Metasploit Heartbleed scanner module^[48]
• Heartbleed Server Scanner by Rehmann^[49]
• Lookout Mobile Security Heartbleed Detector, an app for Android devices that determines the OpenSSL version of the device and indicates whether the vulnerable heartbeat is enabled^[50]
• Heartbleed checker hosted by LastPass^[51]
• Online network range scanner for Heartbleed vulnerability by Pentest-Tools.com ^[52]
• Official offline scanner in Python from Redhat "https://access.redhat.com/labs/heartbleed/heartbleed-poc.py". {{cite web}}: External link in |title= (help)
• Qualys SSL Labs' SSL Server Test which not only looks for the Heartbleed bug, but can also find other insecure SSL/TLS implementation errors like supporting the totally broken SSL2, insecure renegotiation, and weak ciphers.
• Browser extensions, such as Chromebleed and FoxBleed.

Other security tools have added support for finding this bug. For example, Sourcefire has released Snort rules to detect Heartbleed attack traffic and possible Heartbleed response traffic.^[53] Tenable Network Security wrote a plugin for its Nessus vulnerability scanner that can scan for this fault.^[54]

Affected services

The following OpenSSL versions were determined to be vulnerable:

• OpenSSL 1.0.2-beta
• OpenSSL 1.0.1 – OpenSSL 1.0.1f
  • Unless an operating system patch for CVE-2014-0160 has been installed that doesn't change the library version, which is the case for Debian (including derivatives such as Ubuntu and Linux Mint), openSUSE, FreeBSD and Red Hat Enterprise Linux, including derivatives such as CentOS and Amazon Linux.

The following OpenSSL versions include patches to fix the Heartbleed bug:

• OpenSSL 1.0.2-beta2 (upcoming)
• OpenSSL 1.0.1g

To resolve the bug, server administrators are advised^{[by whom?]} to either use 1.0.1g or to recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS, thus disabling the vulnerable feature until the server software can be updated.

Websites and web services

The following sites have services affected or made announcements recommending that users update passwords in response to the bug:

2

• Mojang ^[74]

Software applications

• IPCop 2.1.4 was released on April 8, 2014 with a fix for "the OpenSSL library everybody is talking about".^[75]
• LastPass Password Manager was not vulnerable, due its use of forward secrecy, but it recommended users change passwords that LastPass stored for vulnerable websites.^[76]
• LibreOffice 4.2.3 was released on April 10, 2014 with a fix for CVE-2014-0160^[77]
• LogMeIn claimed to have "updated many products and parts of our services that rely on OpenSSL".^[78]

Reaction

On the day of the announcement, April 7, 2014, the Tor Project issued an announcement on its blog and advised that anyone seeking "strong anonymity or privacy on the Internet" should "stay away from the Internet entirely for the next few days while things settle." They also recommended that Tor relay operators and hidden service operators revoke and generate fresh keys after patching OpenSSL, but noted that Tor relays use two sets of keys and that Tor's multi-hop design minimizes the impact of exploiting a single relay.^[79]

The Canada Revenue Agency (CRA) closed down its electronic services website over Heartbleed bug security concerns.^[80]

Platform maintainers like the Wikimedia Foundation advised their users to change passwords.^[71]

An analysis posted on GitHub of the top 1000 most visited websites on April 8, 2014 revealed vulnerabilities in sites including Yahoo!, Imgur, Stack Overflow, Slate, and DuckDuckGo.^[81][82]

Theo de Raadt, founder and leader of the OpenBSD and OpenSSH projects, has criticized the OpenSSL developers for explicitly circumventing OpenBSD C standard library exploit countermeasures, saying "OpenSSL is not developed by a responsible team."^[83][84]

The author of the bug, Robin Seggelmann,^[85] stated that he "missed validating a variable containing a length" and denied any intention to submit a flawed implementation.^[86]

References

1. McKenzie, Patrick (April 9, 2014). "What Heartbleed Can Teach The OSS Community About Marketing". Retrieved April 10, 2014.
2. Biggs, John (April 9, 2014). "Heartbleed, The First Security Bug With A Cool Logo". TechCrunch. Retrieved April 10 2014. {{cite web}}: Check date values in: |accessdate= (help)
3. Mutton, Paul (April 8, 2014). "Half a million widely trusted websites vulnerable to Heartbleed bug". Netcraft Ltd. Retrieved April 8, 2014.
4. Perlroth, Nicole; Hardy, Quentin (April 11, 2014). "Heartbleed Flaw Could Reach to Digital Devices, Experts Say". New York Times. Retrieved April 11, 2014.
5. Chen, Brian X. (April 9, 2014). "Q. and A. on Heartbleed: A Flaw Missed by the Masses". New York Times. Retrieved April 10, 2014.
6. Wood, Molly (April 10, 2014). "Flaw Calls for Altering Passwords, Experts Say". New York Times. Retrieved April 10, 2014.
7. Manjoo, Farhad (April 10, 2014). "Users' Stark Reminder: As Web Grows, It Grows Less Secure". New York Times. Retrieved April 10, 2014.
8. "CVE – CVE-2014-0160". Cve.mitre.org. Retrieved April 10, 2014.
9. "Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately". The Sydney Morning Herald. 2014.
10. "#2658: [PATCH] Add TLS/DTLS Heartbeats". OpenSSL. 2011.
11. "Meet the man who created the bug that almost broke the Internet". Globe and Mail. April 11, 2014.
12. Codenomicon Ltd (April 8, 2014). "Heartbleed Bug". Retrieved April 8, 2014.
13. Goodin, Dan (April 8, 2014). "Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping". Ars Technica. Retrieved April 8, 2014.
14. Goodin, Dan (April 8, 2014). "Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping". Ars Technica. Retrieved April 8, 2014.
15. Hagai Bar-El (April 9, 2014). ""OpenSSL Heartbleed bug: what's at risk on the server and what is not"". Retrieved April 9, 2014.
16. "Redhat Bugzilla – Heartbeat Fix". Retrieved April 12, 2014.
17. "CloudFlare – Update on the Heartbleed OpenSSL Vulnerability". Retrieved April 12, 2014.
18. "Mark J Cox – #Heartbleed". Retrieved April 12, 2014.
19. Seggelmann, R.; et al. (February 2012). "Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension". RFC 6520. Internet Engineering Task Force (IETF). Retrieved April 8, 2014. {{cite web}}: Explicit use of et al. in: |author= (help)
20. OpenSSL.org (April 7, 2014). "OpenSSL Security Advisory [07 Apr 2014]". Retrieved April 9, 2014.
21. OpenSSL (April 7, 2014). "TSL heartbeat read overrun (CVE-2014-0160)". Retrieved April 8, 2014.
22. "Why is it called the 'Heartbleed Bug'?".
23. "Näin suomalaistutkijat löysivät vakavan vuodon internetin sydämestä - transl/Finnish researchers found a serious leakage of the heart of the Internet". April 10, 2014. Retrieved April 13, 2014.
24. Mehta, Neel. "Don't forget to patch DTLS". Twitter. Retrieved April 11, 2014.
25. Kleinman, Alexix (April 11, 2014). "The Heartbleed Bug Goes Even Deeper Than We Realized – Here's What You Should Do". The Huffington Post. Retrieved April 12, 2014.
26. Lawler, Richard (April 11, 2014). "Cloudflare Challenge proves 'worst case scenario' for Heartbleed is actually possible". Engadget. Retrieved April 12, 2014.
27. "The Heartbleed Challenge". CloudFlare. 2014.
28. Gallagher, Sean (April 9, 2014). "Heartbleed vulnerability may have been exploited months before patch". Ars Technica. Retrieved April 10, 2014.
29. "Were Intelligence Agencies Using Heartbleed in November 2013?", April 10, 2014, Peter Eckersley, EFF.org
30. Graham, Robert (April 9, 2014). "No, we weren't scanning for hearbleed[sic] before April 7". Errata Security.
31. Riley, Michael. "NSA Said to Exploit Heartbleed Bug for Intelligence for Years". Bloomberg. Retrieved April 11, 2014.
32. "Report: NSA exploited Heartbleed for years". USA Today. Retrieved April 11, 2014.
33. "NSA exploited Heartbleed bug for two years to gather intelligence, sources say". Financial Post. Retrieved April 11, 2014.
34. "Statement on Bloomberg News story that NSA knew about the 'Heartbleed bug' flaw and regularly used it to gather critical intelligence". National Security Agency. April 11, 2014.
35. Troy Hunt (April 9, 2014). "Everything you need to know about the Heartbleed SSL bug". Retrieved April 10, 2014.
36. "Why Heartbleed is dangerous? Exploiting CVE-2014-0160". IPSec.pl. 2014.
37. Mutton, Paul (April 8, 2014). "Half a million widely trusted websites vulnerable to Heartbleed bug". Netcraft Ltd. Retrieved April 8, 2014.
38. "Why the Web Needs Perfect Forward Secrecy More Than Ever | Electronic Frontier Foundation". Eff.org. March 18, 2011. Retrieved April 10, 2014.
39. Goodin, Dan. "Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style". Ars Technica. Retrieved April 10, 2014.
40. "Schneier on Security: Heartbleed". Schneier.com. Retrieved April 10, 2014.
41. Steinberg, Joseph. "Massive Internet Security Vulnerability – Here's What You Need To Do". Forbes. Retrieved April 10, 2014.
42. "CVE – CVE-2014-0160". Cve.mitre.org. Retrieved April 10, 2014.
43. "CWE – CWE-126: Buffer Over-read (2.6)". Cwe.mitre.org. February 18, 2014. Retrieved April 10, 2014.
44. "Git – openssl.git/commitdiff". Git.openssl.org. April 5, 2014. Retrieved April 10, 2014.
45. "Patched Servers Remain Vulnerable to Heartbleed OpenSSL | Hayden James". Haydenjames.io. Retrieved April 10, 2014.
46. "Heartbleed OpenSSL extension testing tool, CVE-2014-0160". Possible.lv. Retrieved April 11, 2014.
47. Heartbleed Scanner" by Italian cryptologist Filippo Valsorda
48. Metasploit module
49. Heartbleed Server Scanner by Rehmann
50. "Heartbleed Detector: Check If Your Android OS Is Vulnerable with Our App". Lookout Mobile Security blog. April 9, 2014. Retrieved April 10, 2014.
51. "Heartbleed checker". LastPass. Retrieved April 11, 2014.
52. "OpenSSL Heartbleed vulnerability scanner :: Online Penetration Testing Tools | Ethical Hacking Tools". Pentest-tools.com. Retrieved April 11, 2014.
53. "VRT: Heartbleed Memory Disclosure – Upgrade OpenSSL Now!". April 8, 2014. Retrieved April 11, 2014.
54. Mann, Jeffrey (April 9, 2014). "Tenable Facilitates Detection of OpenSSL Vulnerability Using Nessus and Nessus Perimeter Service". Tenable Network Security. Retrieved April 11, 2014.
55. "Heartbleed FAQ: Akamai Systems Patched". Akamai Technologies. April 8, 2014. Retrieved April 9, 2014.
56. "AWS Services Updated to Address OpenSSL Vulnerability". Amazon Web Services. April 8, 2014. Retrieved April 9, 2014.
57. "Dear readers, please change your Ars account passwords ASAP". Ars Technica. April 8, 2014. Retrieved April 9, 2014.
58. "All Heartbleed upgrades are now complete". BitBucket Blog. April 9, 2014. Retrieved April 9, 2014.
59. "Keeping Your BrandVerity Account Safe from the Heartbleed Bug". BrandVerity Blog. April 9, 2014. Retrieved April 10, 2014.
60. "Twitter / freenodestaff: we've had to restart a bunch..." April 8, 2014. Retrieved April 13, 2014.
61. "Security: Heartbleed vulnerability". GitHub. April 8, 2014. Retrieved April 9, 2014.
62. "IFTTT Says It Is 'No Longer Vulnerable' To Heartbleed". LifeHacker. April 8, 2014. Retrieved April 9, 2014.
63. "The widespread OpenSSL 'Heartbleed' bug is patched in PeerJ". PeerJ. April 9, 2014. Retrieved April 9, 2014.
64. http://forums.somethingawful.com/announcement.php?forumid=1. Retrieved April 13, 2014. {{cite web}}: Missing or empty |title= (help)
65. Codey, Brendan (April 9, 2014). "Security Update: We're going to sign out everyone today, here's why". SoundCloud. Retrieved April 9, 2014.
66. Codey, Brendan (April 10, 2014). "Sourceforge response to heartbleed". SoundCloud. Retrieved April 10, 2014.
67. "Heartbleed". SparkFun. April 9, 2014. Retrieved April 9, 2014.
68. "Heartbleed". Stripe (company). April 9, 2014. Retrieved April 10, 2014.
69. "Tumblr Staff-Urgent security update". April 8, 2014. Retrieved April 9, 2014.
70. Hern, Alex (April 9, 2014). "Heartbleed: don't rush to update passwords, security experts warn". The Guardian. Retrieved April 9, 2014. {{cite news}}: Italic or bold markup not allowed in: |publisher= (help)
71. Grossmeier, Greg (April 8, 2014). "[Wikitech-l] Fwd: Security precaution – Resetting all user sessions today". Wikimedia Foundation. Retrieved April 9, 2014.
72. Grossmeier, Greg (April 10, 2014). "Wikimedia's response to the "Heartbleed" security vulnerability". Wikimedia Foundation blog. Wikimedia Foundation. Retrieved April 10, 2014.
73. "Wunderlist & the Heartbleed OpenSSL Vulnerability". April 10, 2014.
74. https://twitter.com/KrisJelbring/status/453559871028613121
75. IPCop (April 8, 2014). "IPCop 2.1.4 is released". SourceForge electronic mailing lists. 139697815506679. Retrieved April 11, 2014.
76. Staff (April 8, 2014). "LastPass and the Heartbleed Bug". LastPass. Retrieved April 13, 2014.
77. italovignoli (April 10, 2014). "LibreOffice 4.2.3 is now available for download". The Document Foundation. Archived from the original on April 12, 2014. Retrieved April 11, 2014. {{cite web}}: Unknown parameter |deadurl= ignored (|url-status= suggested) (help)
78. "LogMeIn and OpenSSL". LogMeIn. Retrieved April 10, 2014.
79. "OpenSSL bug CVE-2014-0160". Tor Project. April 7, 2014. Retrieved April 9, 2014.
80. "Security concerns prompts tax agency to shut down website". CTV News. April 9, 2014. Retrieved April 9, 2014.
81. "heartbleed-masstest/top1000.txt". GitHub. April 8, 2014. Retrieved April 9, 2014.
82. Cipriani, Jason (April 10, 2014). "Which sites have patched the Heartbleed bug?". CNET. Retrieved April 10, 2014.
83. "Theo De Raadt's Small Rant On OpenSSL – Slashdot". It-beta.slashdot.org. Retrieved April 11, 2014.
84. "Re: FYA: http: heartbleed.com". Gmane. Retrieved April 11, 2014.
85. Lia Timson. "Who is Robin Seggelmann and did his Heartbleed break the internet?". Smh.com.au. Retrieved April 11, 2014.
86. "Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately". The Sydney Morning Herald. April 11, 2014. Retrieved April 11, 2014.

External links

• Heartbleed BUG in OPENSSL
• Summary and Q&A about the bug, – by Codenomicon Ltd
• Video (08:40) – Explanation of the Heartbleed bug
• PCMAG – Change Your Passwords
• Heartbleed bug : Frequently Asked questions