The Heartbleed Bug

Post on 06-May-2015

1,276 views 3 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

null Bangalore Chapter - June 2014 Meet

transcript

by Sharath Unni

HEARTBLEED Bug

Contents

Introduction to HTTP

Why HTTP over SSL?

Discovery of heartbleed

OpenSSL heartbeat extension

What exactly is bleeding?

Protecting against heartbleed attacks

A quick demo

A typical HTTP communication

• I would like to open a connection

• GET <file location>

• Display response

• Close connection

• OK

• Send page or error message

• OK

Client Server

Clear-text protocols

When packages of data are sent out over the internet – a lot more

can happen than you think!

Need for encryption SSL/TLS

Provides authentication, confidentiality and integrity.

Asymmetric encryption for key exchange (Public and Private keys)

Pre-shared secret key between the client and server

SHARED secret key – ensures that the message is private even if it is intercepted.

OpenSSL - open source implementation of SSL and TLS protocols

Discovery of Heartbleed The bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team on April 1, 2014

Massive SSL bug impacts Internet and its users

According to Netcraft’s survey about 17.5% of SSL sites had heartbeat extension enabled (half a million)

Affected versions - 1.0.1 and 1.0.2-beta including 1.0.1f and 1.0.2-beta1 (since March 2012)

Apache and nginx servers typically run OpenSSL implementations

SSL heartbeat

SSL heartbeats are defined in RFC6520

Similar to Connection Keep-alive in HTTP

They can be sent without authenticating with the server

A heartbeat is a message that is sent to the server just so

the server can send it back. This lets a client know that

the server is still connected and listening.

OpenSSL HeartBeat

Heartbleed (CVE-2014-0160)

The vulnerability lies in the implementation of Heartbeat

The memory is allocated from the payload + padding

which is a user controlled value. (Buffer over-read)

OpenSSL heartbeat

So what if we can read the memory?

Metasploit extract of memory dump

Metasploit extract of memory dump

Protecting Private keys

What can we do about it?

Remove the HeartBeat extension

Upgrade to OpenSSL 1.0.1g

Revocation of the old key pairs

Force users to change their passwords

User awareness

Thank you!

@sharath_unni

h4xorhead@gmail.com

mailto:h4xorhead@gmail.com

Top related

$01#2$3.4'5# · Red Hat report also found that the security of the code was the #1 barrier to adopting open source in the enterprise. The now infamous Heartbleed bug demonstrated
Documents
Heartbleed: how widespread is it? - SNE/OS3 … how widespread is it? Leendert van Duijn Jan-Willem Selij June 1, 2014 Abstract The Heartbleed bug caused many servers on the internet
Documents
Heartbleed Bug
Internet
[QA Night Recife] Heartbleed SecInf
Software
Heartbleed Bug. When all the net security people are freaking out, it’s probably an okay time to worry.
Documents
Heartbleed Bug: What It Is And How To Protect Yourself
Technology
image: Marsmettnn Tallahassee Heartbleed & staying …findhorn.cc/wp-content/uploads/2014/11/WPFH-security-heartbleed... · Heartbleed & staying secure online ... April 2014, by Mark
Documents
Risk Assessment of Buffer “Heartbleed” Over-read ... · specific Heartbleed bug. As an emerging type of vulnerability, we need more research on the mitigation of the buffer over-read
Documents
The Heartbleed Bug Serge Borso serge@sergeborso.com.
Documents
Open ssl heartbleed
Documents
Heartbleed by-danish amber
Technology
Using Soft Systems Methodology and Activity Theory to ...Heartbleed is zero day vulnerability. Mitigating Heartbleed bug which faces computer systems in the global – cyberspace is
Documents
Understanding heartbleed by Dustin Noe
Technology
Heartbleed && Wireless
Technology
Heartbleed Bug Advisory (CVE-2014-0160)accuvantstorage.blob.core.windows.net/web/file/... · Heartbleed Bug Advisory (CVE-2014-0160) 3 Revision: 1.1 Technical Summary The Heartbleed
Documents
TypeChef meets SPLlift Interprocedural Data-Flow Analysis of … · 2017. 1. 16. · the infamous Heartbleed bug in 2014. These issues are mostly caused by flaws in the ac-tual implementation.
Documents
d Neel Mehta, Google Security - IT Today · discovers the Heartbleed vulnerability Friday, March 21 ... about a bug existing in ... heartbleed_infographic
Documents
Cenni su SSL/TLS Heartbleed
Science
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Technology
HEARTBLEED ATTACK
Documents

Copyright © 2018 DOCUMENTS