Heartbleed OpenSSL vulnerability: A technical remediation

OpenSSL released an bug advisory about a 64kb memory leak patch in their library. The bug has been assigned CVE-2014-0160 TLS heartbeat read overrun.

According to OpenSSL, the heartbeat extension was introduced in March 2012 with the release of version 1.0.1 of OpenSSL. This implies that the vulnerability has been around for just over 2 years. This is a very serious vulnerability that will allow protected information to be stolen even with the use of SSL/TLS encryption.

Since the announcement, there has been buzz around the underground and malicious actors have been actively leaking software library data and using one of the several provided PoC code to attack the massive amount of services available on the internet.

Only versions 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. The targets are mostly port 443. With this, an attacker is able to leak previously allocated data. This can and does include plaintext credentials, session cookies, private keys (to arbitrarily decrypt SSL/TLS communication), and more. OpenSSH does not seem to be susceptible to the vulnerability as OpenSSL is used for key generation, but not communication.

Heartbleed.com mentions a web based tool and a couple of scripts for testing to see if you are vulnerable to this latest exploit:

  • A web based test
  • A Python script to test for the vulnerability from the command line. If you want to scan multiple sites, you can use a modified version with easily parseable output.

This post has done an excellent job explaining, in code, exactly what has happened and what the vulnerability is. Now, as an attacker with simple PoC, this is what we are able to do:

1. while [ 1 ]; do python poc.py server.com 443; done
2. ngrep -i “password_field_value” -d any host victim.org and port 443 -q

This allows us to spam the PoC for recently allocated data and use ngrep to grab the field in which passwords are being sent across. Using these two commands, we have been able to grab a large amount of passwords given over https as plaintext. As you can see, this breaks a large variety of web applications which include online emails (yahoo), banks, and a large variety of other targets.

One of the more complicated issues is that the OpenSSL patches were not in-line with the upstream of large Linux flavors. Meaning there was a large time-window between the OpenSSL’s patch and when various flavors of Linux can provide the patch to its users base. OpenSSL.org has provided an updated version of OpenSSL (1.0.1g) here. Once you have updated to the most recent version you must then regenerate your private key(s) and SSL certificate(s). We would also recommend resetting all passwords for usernames that were used during the timeframe that you were vulnerable.

We have had a opportunity to review the behavior of the exploit and have come up with the following IDS signatures to be deployed for detection.

alert tcp !$HOME_NET any -> $HOME_NET 443 (msg:”SSLv3 OpenSSL Heartbeat Memory Leak”; content:”|18 03 00|”; depth:3; byte_test:2,>,199,3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid:1006054; tag:session,5,packets; rev:1;)

alert tcp !$HOME_NET any -> $HOME_NET 443 (msg:”TLSv1 OpenSSL Heartbeat Memory Leak”; content:”|18 03 01|”; depth:3; byte_test:2,>,199,3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid:1006055; tag:session,5,packets; rev:1;)

alert tcp !$HOME_NET any -> $HOME_NET 443 (msg:”TLSv1.1 OpenSSL Heartbeat Memory Leak”; content:”|18 03 02|”; depth:3; byte_test:2,>,199,3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid:1006056; tag:session,5,packets; rev:1;)

alert tcp !$HOME_NET any -> $HOME_NET 443 (msg:”TLSv1.2 OpenSSL Heartbeat Memory Leak”; content:”|18 03 03|”; depth:3; byte_test:2,>,199,3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid:1006057; tag:session,5,packets; rev:1;)


Stephen Coty, Chief Security Evangelist at Alert Logic.

Don't miss