Heartbleed by Ramie Phillips III for (ISC)2 Detroit September 23, 2014
What is Heartbleed? ●
●
●
●
●
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library OpenSSL is most likely present on linux webservers like Apache and nginx OpenSSL is also used to protect email, chat, VPNs, and many network appliances CVE 2014-0160 FYI: SSL or TLS are the same encryption levels, SSL is typically by port and older (port 443), TLS is typically by protocol (STARTTLS) and newer by version number, SSL 3.0 was the predecessor to TLS 1.0
What is a TLS Heartbeat? ●
Could be loosly compared to a TLS “ping”
●
Why do we need an SSL Heartbeat? ●
To avoid SSL session closure by overzealous firewalls
●
To make sure the peer is still alive
●
Reduces costly renegotiations
●
Helps serve as a countermeasure to BEAST attack
●
BEAST allows IVs in a CBC cipher to be predicted by a MITM, allows guessing to be validated allowing disclosure of small amounts of data like session keys
How widespread is Heartbleed? ●
●
●
●
●
OpenSSL versions 1.0.1, released 3/14/2012, through 1.0.1f. 1.0.1g with a fix was released 4/7/2014 Operating systems affected include Debian 7, Ubuntu 12.04.4, CentOS 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 10, NetBSD5.0.2, and OpenSUSE 12.2 OpenSSL version 1.0.1 was the first version to contain TLS version 1.2 TLS version 1.2 has been pushed heavily by the security community to improve hash security and BEAST attack resistance. Initial estimates are that it affected about 17.5% of all SSL websites, effects reduced because many large providers are slow to upgrade
What is Heartbleed really? ●
●
●
●
A lack of input validation on a user supplied parameter that allows reading from heap memory It allows a client to specify a size of memory up to 64kb to return to that client per heartbeat, much larger than the intended designed response of 4 bytes Since size boundary is not checked a read buffer overflow occurs, and server memory is returned to the client Anything residing in server heap memory can be compromised, including session keys, ssl keys, etc.
A simplified visualization of Heartbleed Hacker: Hey server, I am sending you 4 bytes, please reply (HHHH)? Server: HHHH Hacker: Hey server, I am sending you 65,535 bytes, please reply (HHHH)? Server: HHHHKKKKKKKKKKKK......................KKK Memory visualization: H H H H K K K K K K K K K K K K K K K K K K K K K K K K K k The problem is that the server expects the Hacker to ask for 4 bytes, but... The server does not verify that the number of bytes asked for is 4. So the server returns the 4 bytes and the next 65,531 bytes in memory.
The Offending Code and Fix -/* Read type and payload length first */ -hbtype = *p++; -n2s(p, payload); //take 2 bytes from p and put them in payload, this is actually payload length -pl = p; //pl is the actual payload data +/* Read type and payload length first */ +if (1 + 2 + 16 > s->s3->rrec.length) +
return 0; /* silently discard */ //No zero length heartbeat requests
+hbtype = *p++; +n2s(p, payload); //take 2 bytes from p and put in payload, actually the length +if (1 + 2 + payload + 16 > s->s3->rrec.length) //16 is the minimum specified padding +
return 0; /* silently discard per RFC 6520 sec. 4 */ //make sure record length is sufficiently long
+pl = p; //pl is teturn data if (hbtype == TLS1_HB_REQUEST) {... … bp = buffer; … s2n(payload, bp); //put payload length in bp …. memcpy(bp, pl, payload); //copy payload bytes from pl to bp … retrun bp... }
Setup a vulnerable server ●
Boot a vulnerable Linux (ubuntu server in this case) and run the following commands:
●
sudo apt-get install apache2
●
sudo a2enmod ssl
●
sudo a2ensite default-ssl
●
sudo /etc/init.d/apache2 restart
●
Check local OpenSSL version by issuing: openssl version -a
●
Check remotely by issuing: “openssl s_client -connect $SERVER_IPADDRESS:443 -tlsextdebug” then look for “TLS server extension "heartbeat" (id=15), len=1” in the response
How not to find Heartbleed ●
●
●
●
Positions (1 and 2) and (9 and 10) in client hello specify TLS version, 03 01 for TLS 1.0, 03 02 for TLS 1.1, and 03 03 for TLS 1.2. Many scripts only tried 03 02 and connection would fail if server did not support TLS 1.2 Cipher suites must match on client and server, sent in Client Hello Some detection scripts had a 5 second timeout, if on a slow connection, large heartbeat, or slow server could fail 13 of 15 tools used prior to April 16th had at least one of these flaws, including McAfee, Nessus, Nmap, Metasploit, and the original POC.
How to find Heartbleed ●
●
●
●
●
Local only command to find OpenSSL version: openssl version -a Hut3 Cardiac Arrest Script (python cardiac-arrest.py $HOSTNAME) can be found at: https://gist.github.com/ah8r/10632982 Qualys SSL Labs with DNS and port 443 only As of April 17th Nmap NSE and Nessus are working properly Others probably now work properly as well
How to compromise Heartbleed ●
There are many scripts that can be found easily on google, but all work similarly
●
Ask the server for many large Heartbeats
●
Store the responses in a file
●
Additional scripts parse the file for interesting things like sessions and crypto keys
Heartbleed is old news. It's fixed everywhere, right? ●
●
●
●
●
Bug discovered April 3, 2014 Errata security scanned on June 20 and found over 300,000 vulnerable devices On August 19 Trusted Sec released the Community Health Systems hack of 4.5 million records was due to a heartbleed attack on a Juniper router A Venafi scan of the Forbes Global 2000 companies on August 22 found that 1,219 companies had a combined 448,000 server not fully secured from heartbleed (patches applied, but keys unchanged) IBM said in a report on August 25 that over 7000 heartbleed attacks per day register on company monitors
What did technicians learn? ●
Incident response plans are critical
●
Detection tools should be tested and proven to work properly
●
Accurate asset knowledge is key
●
●
●
●
Defense in depth can limit attack damage including firewalls to limit specific IP addresses and IPS systems to filter attacks Patch distribution systems are critical, and time to deployment counts Cryptographic re-keying is important Maybe alternatives written in a language other than c are needed
What did businesses learn? ●
●
●
●
●
●
OpenSSL is deployed as critical security infrastructure across 2/3 of the websites on the Internet OpenSSL was funded by less than $2000 in donations per year OpenSSL foundation did per hour work and offered support contracts, but these were for specific features, up to $1 million per year, this seems to be partly responsible for the difficult to read code OpenSSL had only one full time employee, this contributed to the lack of ability to accept bug fixes and documentation changes Business should pay money for open source development and security audits if they rely on the code The Linux Foundation has now devoted $3.9 million to open source projects outside the already well funded kernel, OpenSSL is first in line
Thank you
Please see www.ramiephillips.com/links.html for updated interesting security articles