Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Confirmed: Heartbleed Exposes Web Server’s Private SSL Keys

After details of the critical “Heartbleed” vulnerability in OpenSSL emerged last week, which enables attackers to steal sensitive data typically protected by TLS encryption, there has been widespread concern among system administrators, network security teams, software developers and essentially anyone with any technical connection to the Internet.

After details of the critical “Heartbleed” vulnerability in OpenSSL emerged last week, which enables attackers to steal sensitive data typically protected by TLS encryption, there has been widespread concern among system administrators, network security teams, software developers and essentially anyone with any technical connection to the Internet.

One of the key concerns (no pun intended) was if an attacker could obtain the private SSL Keys from a server by exploiting Heartbleed.

In short, the Heartbleed vulnerability allows attackers to repeatedly access 64K blocks of memory by sending a specially crafted packet to a server running a vulnerable version of OpenSSL. Because an attacker can’t specify what kind of data to obtain from the computer’s memory or reliably get the same kind of information each time, the attack depends on luck and timing.

In an effort to help determine if private SSL keys were at risk, engineers at Web performance and security firm CloudFlare created a web site that was intentionally vulnerable to Heartbleed and encouraged researchers to attempt to get the private key from the server.

As was assumed, and now confirmed, under the right circumstances, an attacker can retrieve a server’s private key.

While CloudFlare originally believed that obtaining private keys was not impossible, but rather difficult, it turns out that within a few hours, several researchers independently retrieved the private keys from the intentionally-vulnerable NGINX server using the Heartbleed exploit.

According to CloudFlare’s Nick Sullivan, Fedor Indutny, a software engineer from Russia, sent at least 2.5 million requests over the course of the day in his successful effort to obtain the key. Ilkka Mattila from NCSC-FI, who sent around a hundred thousand requests over the same period of time, was also successful in obtaining the private key.

At least two others had success as well. 

Advertisement. Scroll to continue reading.

CloudFlare says that it confirmed with all individuals that they used only the Heartbleed exploit to obtain the private key.

According to Sullivan, CloudFlare engineers rebooted the server at 3:08PST, which may have caused the key to be available in uninitiallized heap memory.

“It is more important than ever to check certificates to see if they have been revoked,” Sullivan wrote in a follow-up blog post. “According to Netcraft that certificate revocation has gone up sharply since the Heartbleed vulnerability was announced.”

“We expect this trend to continue as more websites evaluate the risk that their private keys were stolen though Heartbleed,” he continued. “If your site was vulnerable to Heartbleed, we encourage you to talk to your CA to revoke your certificate an rekey.”

The vulnerability is “catastrophic” for SSL and Internet security, Bruce Schneier, a well-known cryptologist and CTO of Co3 Systems, previously told SecurityWeek. “On the scale of 1 to 10, this is an 11.”

While it’s perfectly possible there are even more serious flaws in TLS lurking undiscovered, Heatbleed is quite possibly the worst one to date. Calling Heartbleed a “ginormous issue” would be a conservative assessment, Schneier said.

It’s very likely governments around the world used Heartbleed to exploit whatever server they could and grab whatever they could get as soon as they heard about the vulnerability, Schneier suggested. “Because why would you not?” 

On Friday, the NSA denied a report claiming it was aware of and even exploited Heartbleed to gather critical intelligence.

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokeswoman said.

RelatedWhy The Heartbleed Vulnerability Matters and What To Do About It  

Additional Resources:

• Is Your Enterprise Managing Certificates? Three Reasons It Should Be. 

• Forrester Attacks On Trust Report

 Heartbleed Bug Advisory Whitepaper from Accuvant Labs (PDF)

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.