2. Myself
• Mohammed Danish Amber
• Working as Database Security Administrator
• Tata Consultancy Services
• CEH &CHFI
• Collabarative Project on Hacker EcoSystem
3. Agenda
• What is Heartbleed
• How it works and Usage in OpenSSL Library
• What was the mistake in code
• What is CVE-2014-0160
• How it can be exploited
• The Mechanism
• How to protect yourself
4.
5. What is Heartbleed
• The Heartbleed Bug is a serious vulnerability in the popular
OpenSSL cryptographic software library. This weakness allows
stealing the information protected, under normal conditions, by
the SSL/TLS encryption used to secure the Internet. SSL/TLS
provides communication security and privacy over the Internet for
applications such as web, email, instant messaging (IM) and some
virtual private networks (VPNs).
6. Heartbleed
• The Heartbleed bug allows anyone on the Internet to read the
memory of the systems protected by the vulnerable versions of
the OpenSSL software. This compromises the secret keys used to
identify the service providers and to encrypt the traffic, the
names and passwords of the users and the actual content. This
allows attackers to eavesdrop on communications, steal data
directly from the services and users and to impersonate services
and users.
7. Heartbleed
• A fixed version of OpenSSL was released on April 7, 2014, on the
same day Heartbleed was publicly disclosed.
• At that time, some 17 percent (around half a million) of the
Internet's secure web servers certified by trusted authorities were
believed to be vulnerable to the attack, allowing theft of the
servers' private keys and users' session cookies and passwords.
8.
9. Heartbeat
• The Heartbeat Extension for the Transport Layer Security (TLS)
and Datagram Transport Layer Security (DTLS) protocols was
proposed as a standard in February 2012 by RFC 6520. It provides
a way to test and keep alive secure communication links without
the need to renegotiate the connection each time.
10. Heartbeat
• In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D.
student at the University of Duisburg-Essen, implemented the Heartbeat
Extension for OpenSSL. Following Seggelmann's request to put the result
of his work into OpenSSL, his change was reviewed by Stephen N.
Henson, one of OpenSSL's four core developers. Henson apparently failed
to notice a bug in Seggelmann's implementation, and introduced the
flawed code into OpenSSL's source code repository on December 31,
2011. The vulnerable code was adopted into widespread use with the
release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support
was enabled by default, causing affected versions to be vulnerable by
default.
11. Discovery
• According to Mark J. Cox of OpenSSL, Neel Mehta of Google's security
team reported Heartbleed on April 1, 2014.
• The bug was named by an engineer at Codenomicon, a Finnish
cybersecurity company, which also created the bleeding heart logo, and
launched the domain Heartbleed.com to explain the bug to the public.
• According to Codenomicon, Neel Mehta first reported the bug to
OpenSSL, but both Google and Codenomicon discovered it
independently.
• Codenomicon reportsApril 3, 2014 as their date of discovery of the bug
and as their date of notification of NCSC-FI (formerly known as CERT-FI)
for vulnerability coordination.
• The Sydney Morning Herald published a timeline of the discovery on April
15, 2014, which shows that some of the organizations were able to patch
against the bug before its public disclosure. In some cases, it is not clear
how they found out.
12. Code patch
• On March 21, 2014 Bodo Moeller and Adam Langley of Google
wrote a patch that fixed the bug. The date of the patch is known
from Red Hat's issue tracker.
• As of May 8, 2014, 318,239 of the public web servers remained
vulnerable.
13. How it works & Usage in OpenSSL Library
Heartbleed Request
Payload Padding
DATA SIZE
Payload Size
Data+???????????
??????????????????
??????????????????
??????????????????
??????????????????
??????????????????
??????????????????
??????????????????
??????????????????
Server Alive Check through Heartbeat
14. CVE-2014-0160
• CVE-2014-0160 is the official reference to this bug. CVE (Common
Vulnerabilities and Exposures) is the Standard for Information
Security Vulnerability Names maintained by MITRE.
15. The Mistake
• Is this a design flaw in SSL/TLS protocol specification?
• No. This is implementation problem, i.e. programming mistake in
popular OpenSSL library that provides cryptographic services such
as SSL/TLS to the applications and services.
16.
17.
18.
19.
20. How to protect yourself.
• Uprade Your Server;
• Update your SSL Library
• Change your password
• Change your Private & Public Keys
• Change your security settings and and its details
21. DEMO
• Scanning Using NMAP to check, is Server is Vulnerable to
HeartBleed
• Setting a Hearbeat Session, with Heartbleed Payload
• Using ngrep to find Username, Password, Keys from the decrypted
Heartbeat (HeartBleed Payload) datas.