The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
2. Overview of the content
• Introduction
• Functionality
• Weakness
• List of affected OpenSSL version
• Some Vulnerable Operating Systems and
Softwares
• Some useful information
• Countermeasures
3. Introduction
OpenSSL cryptographic software library
Discovered on 3rd
April 2014, The National Cyber
Security Centre Finland (NCSC-FI) is verifying the
OpenSSL bug.
SSL/TLS provides security and privacy on the internet
applications as like virtual private network (VPN),
instant messages (IM), web-server and email.
intruder over the internet to read the system memory
that is protected by the vulnerable OpenSSL version
and compromise the secret keys to identify the
encrypted traffic and user credentials
A new Fixed version introduced.
5. Weakness
• CVE-2014-016
• CVE-2014-0224: 5th June 2014
• Revealed private key and other secrets on the
internet.
• Higher probability for affecting by this bug
actively and/or passively.
• 66% of servers with OpenSSL affected
(approximate 632 million)
• First activated on 2012, when the default
enabled TLS heartbeat function released.
6. Weakness
• This bug with Heartbeat extension (RFC 6520)
of OpenSSL (v1.0.1- 1.0.2beta) allows
unknown client to the server request up to
64Kb of data within each transection.
• Server memory can be accessed and private
encryption keys can be revealed by attacker.
7. Affected OpenSSL version:
• OpenSSL 1.0.1a through 1.0.1f (inclusive) are
vulnerable
• OpenSSL 1.0.1g is NOT vulnerable
• OpenSSL 1.0.1h [5 Jun 2014]
• OpenSSL 1.0.0a -1.0.0l branch is NOT vulnerable
• OpenSSL 0.9.8 branch is NOT vulnerable
• OpenSSL 0.9.7 branch is NOT vulnerable
9. Affected Operating Systems and
Softwares
• FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
• NetBSD 5.0.2 (OpenSSL 1.0.1e)
• OpenSUSE 12.2 (OpenSSL 1.0.1c)
• HP System Management Homepage (SMH) for
Linux and Windows,(hpms 7.2.2.8)
• LibreOffice 4.2.0 to 4.2.2
10. Affected Operating Systems and
Softwares
• VMware series of Horizon products, emulators
and cloud computing suites
• Oracle Big Data Appliance (includes Oracle
Linux 6)
11. Some Useful Information
• Not similar to the Man-in-the-Middle attack.
• Attacker objective is to theft key material.
• Supervise service using the key material.
• A single heartbeat can contain 64Kb, attacker
can reconnect and request arbitrary number
chunks of memory during TLS connection until
the secret reveal.
18. Countermeasure
• Use the Fixed OpenSSL (1.0.1g) instead of the
previous versions.
• Old keys should be revoked.
• Disable OpenSSL heartbeat support.
• Use Perfect Forward Secrecy that can
minimize the damage in case the secret key is
revealed.
19. Conclusion
• Mistake of programming of SSL/TLS protocol
specification in well-known OpenSSL library.
• Security community should invest more time
for testing, analyzing the flaws of human
mistake.
20. Reference
• The Heartbleed Bug, last retirved: 4th
June
2014, http://heartbleed.com.
• Z. Queal, “Necessary Implementation of
Adjustable Work Factor Ciphers in Modern
Cryptographic Algorithms as it Relates to
HeartBleed and OpenSSL”, American Public
University, last retrieved: 30th
May 2014.
http://queal.co/works/journal.pdf.
21. Reference
• Russell. K, “Here's How To Protect Yourself From The
Massive Security Flaw That's Taken Over The
Internet”, last retrieved: 29th
May 2014,
http://www.businessinsider.com/heartbleed-bug-
explainer-2014-4.
• W.Dormann, “OpenSSL TLS heartbeat extension read
overflow discloses sensitive information”. Last
retrieved: 25th
May 2014,
https://www.kb.cert.org/vuls/id/720951.