What is Heartbleed Bug and Its Solutions?

Sarvesh Kushwaha

Rate me:

4.95/5 (9 votes)

13 Apr 2014CPOL4 min read

21.6K

This tip describes what exactly is Heartbleed bug, how to exploit it and solutions of this bug.

Introduction

Since the last few days, Heartbleed trending on the internet and saying to the internet, I am evil. People are calling this bug as "Biggest Security Threat" to the internet. Some Websites called this bug "Catastrophic".

I was gawked to know that I was not safe since 2011 December since OpneSSL included Heartbeat Extension.

Background

This heartbleed bug is on the internet since 2011 December and it got fixed a week ago. First, it was found by Google Security team member NEEL MEHTA and a software firm called CODENOMICON. Codenomicon took the initiative about this bug and created a website for the information and solution of this bug, i.e., http://heartbleed.com.

Before diving into HeartBleed, I would like to tell you about why we need SSL (Secure Socket Layer) also known as TSL (Transport Security Layer).

Usually, we send the password, personal details, credit card details, selfie pics, social media posts over the internet .

To encrypt such details, we used HTTPS. To ensure any malicious person cannot intercept these details, we use OpenSSL, which is an open source software for the implementation of SSL on the web.

But all the SSL implemented HeartBeat extensions are vulnerable to HeartBleed. Through HeartBeat extension attacker can read the client/server memory (64KB at a time) .

What is Heartbeat Extension?

OpenSSL introduced an extension Heartbeat to keep the session alive for a longer time and to avoid reestablishment of sessions. Heartbeat introduced in OpenSSL with its 1.0.1 build release as defined in the RFC 6520 TLS/DTLS Heartbeat Extension. Heartbeat messages can be sent without authenticating with the server. For every request, there might be a Heartbeatrequest and a Heartbeatresponse.

What is Heartbleed?

YAY, you got the nerve - "Vulnerability in Hearbeat causes Heartbleed".

Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.

Are You Heartbleed Vulnurable ?

People have created the malicious script for heartbeat request and created many online checkers. Following are the websites where you can test whether your website is Heartbleed vulnerable or not.

How to Exploit Heartbleed Attack?

There are many available ways to exploit Heartbleed. Everyone has their proof of concepts.

Some of the ways that I liked are listed below:

Easy and simple way to do it http://www.garage4hackers.com/entry.php?b=2551
Honeypot Sniffing http://packetstormsecurity.com/files/126068/hb_honeypot.pl.txt
Openmagic https://github.com/isgroup-srl/openmagic/
Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford https://gist.github.com/dyatlov/10192468

Basically, using the idea of Heartbeat, a client can send a Heartbeatrequest and the server will have to respond with Heartbeatresponse.

The total length of a HeartbeatMessage(request/response) canNOT exceed 2^14 or max_fragment_length when negotiated as defined in [RFC6066]. So we are only able to leak 64 KB of memory and that could easily have usernames/password or any random information.

Which OpenSSL Versions are Vulnerable and Who is vulnerable to Heartbleed ?

Heartbleed is only exploited where vulnerable OpenSSL software has been installed. Vulnerable versions are:

1.0.1
1.0.1a,
1.0.1b,
1.0.1c,
1.0.1d,
1.0.1e,
1.0.1f,
1.0.2-beta1

OpenSSL is installed mostly on the Apache servers and nginx servers. According to Netcraft, half a million trusted websites are vulnerable to this Heartbleed Bug. Image Courtsey Netcraft : LINK

Are Windows Server Safe ?

Being a .NET developer, this is the first thing that came into my mind. Are the websites developed by me and deployed on the Windows server using IIS safe?

According to Microsoft, they do not include OpenSSL and are not vulnerable to this Heartbleed. Microsoft has their own encryption component called SChannel (Abbreviated as Secure Channel). But those clients which are running softwares on OpenSSL instead of Schannel are vulnerable to this threat.

Solutions to Prevent Heartbleed Attack

Upgrade Your OpenSSL

Apply an upgrade to OpenSSL 1.0.1g. Contact your software vendor to apply an update for this.

Things to remember:

Regenerate your secret keys (There might be a possibility that attacker already hacked your current secret key).
Ask your users to change the password (I have received the official mail request from tumblr to change password).

Disable Heartbeat from Current Installed SSL

Steps to do it:

Recompile your OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.
Restart your Apache and nginx server to effect the above command.

I hope you liked this simple and straightforward article. I have a lot of insight about this bug. We can have a healthy discussion here regarding this bug.

References and Further Readings

This article was originally posted at http://sarveshkushwaha.blogspot.in/2014/04/what-is-heartbleed-bug-and-its-solutions.html

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Written By

Sarvesh Kushwaha

Software Developer

India

I do believe life is to help others ... So here i am .. in my spare time i learn new things of programming and try to help people with my knowledge .
I'm an energetic, self-motivated and hard-working Developer and Information Technology Professional with experience in projects, website design and development.

Visit My Technical Blog

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.