A flaw buried deep inside a widely used cryptographic library has serious implications for Internet security. It's very likely criminals may have had access to the sensitive data that was supposed to be protected in the first place.
System administrators, developers, and service providers need to first close the vulnerability (CVE-2014-0160), dubbed "Heartbleed", and then address the very likelihood that attackers have obtained the private/public key pairs used to encrypt data. It's not a simple fix, and there are many challenges ahead arising from the Heartbleed vulnerability, experts said.
The vulnerability is "catastrophic” for SSL and Internet security, Bruce Schneier, a well-known cryptologist and CTO of Co3 Systems, told SecurityWeek. “On the scale of 1 to 10, this is an 11.” While it's perfectly possible there are even more serious flaws in TLS lurking undiscovered, Heartbleed is quite possibly the worst one to date. Calling Heartbleed a “ginormous issue” would be a conservative assessment, Schneier said.
The OpenSSL library has a “heartbeat” feature which essentially lets one computer tell the other computer, “I am here. Don't close this session. I am thinking.” The heartbeat system has one computer establish a secure connection with another and send an incoming request data packet. The second machine copies that request into a reply packet and sends it back to confirm the connection is working and valid. The Heartbleed vulnerability is a memory buffer overflow, where if the machine receives less packets than it is expecting to receive, it randomly grabs bits of information from memory to pad out the response to the correct size.
“Instead of sending too much data, to trick the other end into crashing and executing your data as code, you send too little data and trick the other end into making up for the missing data by leaking some of its own,” wrote Paul Ducklin, a security expert from Sophos, wrote on the Naked Security blog.
The attack depends a lot on luck and timing, since the attacker can't specify what kind of data to obtain from the computer's memory or reliably get the same kind of information each time. In a high-traffic site like Yahoo Mail, though, the chances of finding a username and password of someone who had just logged in to the site in the server's memory is fairly high. Under the right circumstances, the attacker may be able to retrieve a server's private key or other sensitive data since there is no limit to the number of scans that can be executed.
It's very likely governments around the world used Heartbleed to exploit whatever server they could and grab whatever they could get as soon as they heard about the vulnerability, Schneier suggested. “Because why would you not?”
No Traces Left Behind
Server and network administrators and providers are faced with an almost impossible task to determine whether an attacker had successfully exploited the vulnerability on their systems. Heartbleed is a software vulnerability, not an infection, noted Grayson Milbourne, director of security intelligence at Webroot. There is no infection to trace, no forensics to indicate foul play, and no alerts to indicate private/public key pairs or sensitive user information has been intercepted. As far as the software is concerned, there is no difference between the proper behavior and an attack. It's easy to know if the vulnerability exists since the buggy code in in OpenSSL versions 1.0.1 to 1.0.1f. If present, the flaw can be exploited, and the only way to fix it is to close the security hole by updating to 1.0.1g, released this week.
“We have no evidence that any of our servers or user data has been compromised, but the Heartbleed attack is very subtle and leaves no evidence by design,” Sid Stamm, senior manager of security and privacy engineering at Mozilla, wrote in a blog post. “At this time, we do not know whether these attacks have been used against our infrastructure or not. We are taking this vulnerability very seriously and are working quickly to validate the extent of its impact,” Stamm said.
There are some tantalizing hints that attackers may have been aware of the bug prior to its disclosure this week. Kurt Baumgartner, a researcher with Kaspersky Lab, told Reuters there was evidence several APT groups ran Heartbleed scans shortly after the bug was disclosed on Monday. The numbers have increased since, especially after Rapid7 released its Metasploit module. But when it comes to knowing what types of data the attackers got—there is no way to know that until users report fraudulent transactions or hijacked accounts.
The bulk of the attention to date has been on Apache and nginx servers running OpenSSL, such as Web, email, database, and chat servers. Experts have estimated as much as two-thirds of secure Websites worldwide—which translate to millions of sites—are affected. However, OpenSSL is widely used in other products and aren't just limited to servers. Many VPN products, such as OpenVPN and Cisco System's AnyConnect software, rely on OpenSSL to establish secure connections. Tor also uses OpenSSL to secure users. Researchers have confirmed that Android devices running versions 4.1.0 and 4.1.1 have the heartbeat feature.
And lest Windows administrators feel a little complacent because they are on IIS, which doesn't use OpenSSL, they should still take a look at their architecture anyway. Stack Overflow's Tim Post acknowledged the site was vulnerable despite using ASP.NET MVC on IIS because the load balancer used nginx. And as just noted, many VPN implementations rely on this library.
“Server infrastructure is much more than just the Web server alone and not consciously running on Apache or nginx doesn't mean it doesn't feature in your environment,” wrote security researcher Troy Hunt.
The first step for administrators is self-evident: install the latest software to close the vulnerability if they have the vulnerable version of the library installed. A handful of tools are already available for server and network administrators to check whether a server is vulnerable to the OpenSSL Heartbleed bug, such as modules for both Metasploit and Nessus, as well as the ssl-heartbleed script from Nmap.
That's just the first step, and the easiest one in this mess. The next step is to generate new public/private keys, revoke old certificates, and get new ones issued, Schneier said. This will be a time-consuming process, and time is on the attackers' side. Until new keys and certificates are issued, users remain at risk, even after the software has been patched. Patching the software just means no more data is being exposed. Until the old keys are revoked, attackers can use the existing keys to continue decrypting network traffic they've captured.
This is a very good time for organizations to look into perfect-forward secrecy to strengthen their cryptographic footprint going forward. Without PFS, attackers sitting on a stockpile of previously captured network traffic (hello, NSA!) will be able to use the keys to go back in time and decrypt the information. If PFS had been enabled, as Google does on its servers (but Yahoo does not), then each network packet is encrypted with a time-sensitive key, making it impossible to try to decrypt historical traffic.
“It may take a considerable amount of effort and money to re-establish a nominal security level,” said Nathaniel Couper-Notes, a principal security consultant at Neohapsis.
There is a problem with revoking the certificates, however. Not all browsers check for revoked certificates by default. Modern versions of Internet Explorer do, but Google Chrome, which has a significant number of users, does not. Issuing the certificate and revoking the old one is a good move, “but that's not necessarily going to stop clients from trusting revoked certificates,” Hunt noted.
System administrators should considering expiring any active user sessions and forcing password resets on all user accounts, just on the assumption that account credentials and encryption keys has been compromised. “Whilst you could argue that this is erring on the safe side, you could also argue that’s precisely what we should be doing just now,” Hunt said.
From an end-user standpoint, users can enter domain names into test sites, such as the one by Filippo Valsorda, to figure out whether the site is vulnerable. LastPass is also scanning sites on behalf of users and notifying them when they need to change their passwords. Users can immediately change passwords on sensitive accounts, but they would need to do so again if they receive a notification from the site owner.
Qualys updated its SSL Labs Server Test to allow users to quickly test external websites to see if their servers are vulnerable to Heartbleed.
Applying the OpenSSL update is only the starting point. Everytime an account gets hijacked going forward, everyone will wonder if the credentials were stolen via Heartbleed, Hunt said. “This bug could have a very, very long tail.