Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Confirmed: Heartbleed Exposes Web Server’s Private SSL Keys

After details of the critical “Heartbleed” vulnerability in OpenSSL emerged last week, which enables attackers to steal sensitive data typically protected by TLS encryption, there has been widespread concern among system administrators, network security teams, software developers and essentially anyone with any technical connection to the Internet.

After details of the critical “Heartbleed” vulnerability in OpenSSL emerged last week, which enables attackers to steal sensitive data typically protected by TLS encryption, there has been widespread concern among system administrators, network security teams, software developers and essentially anyone with any technical connection to the Internet.

One of the key concerns (no pun intended) was if an attacker could obtain the private SSL Keys from a server by exploiting Heartbleed.

In short, the Heartbleed vulnerability allows attackers to repeatedly access 64K blocks of memory by sending a specially crafted packet to a server running a vulnerable version of OpenSSL. Because an attacker can’t specify what kind of data to obtain from the computer’s memory or reliably get the same kind of information each time, the attack depends on luck and timing.

In an effort to help determine if private SSL keys were at risk, engineers at Web performance and security firm CloudFlare created a web site that was intentionally vulnerable to Heartbleed and encouraged researchers to attempt to get the private key from the server.

As was assumed, and now confirmed, under the right circumstances, an attacker can retrieve a server’s private key.

While CloudFlare originally believed that obtaining private keys was not impossible, but rather difficult, it turns out that within a few hours, several researchers independently retrieved the private keys from the intentionally-vulnerable NGINX server using the Heartbleed exploit.

According to CloudFlare’s Nick Sullivan, Fedor Indutny, a software engineer from Russia, sent at least 2.5 million requests over the course of the day in his successful effort to obtain the key. Ilkka Mattila from NCSC-FI, who sent around a hundred thousand requests over the same period of time, was also successful in obtaining the private key.

At least two others had success as well. 

CloudFlare says that it confirmed with all individuals that they used only the Heartbleed exploit to obtain the private key.

According to Sullivan, CloudFlare engineers rebooted the server at 3:08PST, which may have caused the key to be available in uninitiallized heap memory.

“It is more important than ever to check certificates to see if they have been revoked,” Sullivan wrote in a follow-up blog post. “According to Netcraft that certificate revocation has gone up sharply since the Heartbleed vulnerability was announced.”

“We expect this trend to continue as more websites evaluate the risk that their private keys were stolen though Heartbleed,” he continued. “If your site was vulnerable to Heartbleed, we encourage you to talk to your CA to revoke your certificate an rekey.”

The vulnerability is “catastrophic” for SSL and Internet security, Bruce Schneier, a well-known cryptologist and CTO of Co3 Systems, previously told SecurityWeek. “On the scale of 1 to 10, this is an 11.”

While it’s perfectly possible there are even more serious flaws in TLS lurking undiscovered, Heatbleed is quite possibly the worst one to date. Calling Heartbleed a “ginormous issue” would be a conservative assessment, Schneier said.

It’s very likely governments around the world used Heartbleed to exploit whatever server they could and grab whatever they could get as soon as they heard about the vulnerability, Schneier suggested. “Because why would you not?” 

On Friday, the NSA denied a report claiming it was aware of and even exploited Heartbleed to gather critical intelligence.

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokeswoman said.

RelatedWhy The Heartbleed Vulnerability Matters and What To Do About It  

Additional Resources:

• Is Your Enterprise Managing Certificates? Three Reasons It Should Be. 

• Forrester Attacks On Trust Report

 Heartbleed Bug Advisory Whitepaper from Accuvant Labs (PDF)

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.