Download - Heart Bleed

Brought to you by

SANS Live Online Training

www.sans.org/vlive www.sans.org/simulcast

Welcome to

OpenSSL "Heartbleed" Vulnerability

by Jake Williams

Live Online Classrooms Attend a Live SANS Event from Home

HeartBleed What you need to know 2014 Jake Williams (@MalwareJake)

HeartBleed what you need to know (round 2)

Jake Williams

@MalwareJake


HeartBleed TL;DR Edition

Massive SSL bug impacts Internet

You should change your passwords unless you KNOW the site in question was not vulnerable

Even if you change your passwords, you should work with your business partners to ensure that vulnerable servers had certificates reissued

Otherwise youre not much more secure


Heartbeats

SSL heartbeats are defined in RFC6520

Used for keep alive messages without the need for renegotiating the SSL session

Also used for path MTU discovery

Heartbeat messages can be sent without authenticating with the server


HeartBleed What is it?

CVE-2014-0160 describes a flaw the heartbeat extension to the SSL protocol

The OpenSSL code accepts a user supplied length value for memory to read without proper validation

Never trust user supplied input

Bug was introduced in March 2012

OpenSSL 1.0.1

Good news: OpenSSL 1.0.0 is NOT vulnerable!


HeartBleed What is it? (2)

Attackers can dump up to 64k of memory near the SSL heartbeat on the impacted machine

Luck of the draw as to what you get

Attack can be repeated many times to obtain different 64k memory allocations

64k is a lot of memory to leak!

Patched in OpenSSL 1.0.1g


Whats in a memory disclosure bug?

Private keys (cryptographic keys)

Data otherwise encrypted by SSL

Usernames and passwords

Session identifiers

Your private data

Pointers to programming structures

May be used to defeat other exploit protections, making some other bugs exploitable


HeartBleed Visual

SSL v3 Record

Length (4 bytes)

Attacker Sends HeartBeat Message

Type (1 byte)

Heartbeat Message

Length (2 bytes)

Message Data

(variable bytes)

Oh noes! The attacker controls both of these length fields!

SSL v3 Record

Length = 4

HeartBeat Message

HB_REQUEST

Heartbeat Message

Length = 65535

Message Data

1 random byte


HeartBleed Visual (2)

Victim Replies SSL v3 Record

Length = 65535

HeartBeat Message

HB_RESPONSE

Heartbeat Message

Length = 65535

Message Data

1 random byte

Almost 64k (-1 byte) of extra memory allocated to the server process

Memory contains ????? Could include private SSL keys, usernames, passwords, or other sensitive data.


Memory Disclosure!

This should be a secret!


Are attacks logged?

In short, no there is no logging of a successful attack beyond normal SSL connection

Nginx patches are available to log that an attack was attempted

https://gist.github.com/kmosher/10313697


What should vendors do?

If not vulnerable

Communicate this (prominently) to customers

If ever vulnerable

Communicate this (prominently) to customers

Revoke possibly (probably) compromised certs

Issue new server SSL certs

Change assumed secret data the customer cant

Force change of passwords for customers


What should you do?

Coordinate with vendors to identify vulnerable software/devices and get patches installed

Coordinate with IT to get new certs for VPN client software

Change passwords for anything you need to keep secret

Monitor carefully for signs of identity theft


No web server, so Im safe, right?

Not at all!

Your data is protected by server certificates, which may have already been leaked

Attackers who compromise a servers private key may decrypt previously recorded traffic

An attacker with compromised server certificates can perform a MiTM attack


Client Side Attacks

Full list of vulnerable clients not yet known

If an attacker can direct traffic to an SSL server they control, they could read memory from the client process

No public proof of concept code available yet

Watch for to secure network clients

Consider restricting use of public wireless unless you know for sure you are not vulnerable


Good news everyone!

Firefox, Chrome, and MSIE (on Windows) all use the Windows crypto implementation and do not link against OpenSSL

IIS server is also not vulnerable


Bad news everyone!

Android is vulnerable

Not sure what this means for Chrome Books

Will manufacturers updated older devices?

Not betting on any support here

Not sure of the full list of Linux browsers that are vulnerable


(More) Bad news everyone!

Third party code using Python/Perl/Ruby OpenSSL libraries may still be vulnerable

Windows programs may have been linked against vulnerable versions of OpenSSL

Need to work with vendors to confirm vulnerabilities have been patched (or dont exist)


OpenVPN

Huge numbers of companies use OpenVPN

Bad news it was vulnerable

Considering that many employees use it in untrusted environments (public WiFi) DO NOT DELAY updating your client and server software


Finding Vulnerable Sites

A number of scanners have been used to identify popular vulnerable sites

Yahoo!, LastPass, OkCupid, and Flickr were all vulnerable for a time

https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt


Finding Vulnerable Sites (2)

A server at http://filippo.io/Heartbleed/ is set up to check for vulnerable sites


Server Certificates

Ensure that your browser is set to check for revoked certificates

Chrome on Windows does not do this by default

Firefox does


Checking site certificates (FireFox)


Checking site certificates (Safari)


Checking site certificates (MSIE)


Chrome Plugin

The ChromeBleed plugin shows whether the site you are communicating with is vulnerable

https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic


Forensics Implications

Suppose your friendly law enforcement captured your SSL encrypted traffic last month

Or your employer

Before HeartBleed they couldnt read it

If the server involved was vulnerable, they may be able to read it today

If the servers private keys were leaked


Forensics Implications (2)

Currently no central site for compromised certs

Expecting to see these popping up in the underground

Hard to believe that this wasnt found by a nation state earlier

Reminded of parallel construction and DEA manual

Can old (previously vulnerable) SSL certs be subpoenaed today by LE? Obtained otherwise?

IANAL ask someone who is


Deploying Cloud Servers?

Check that the baseline image has been updated to the newest OpenSSL

Good advice for software in general anyway

Many Amazon images are already updated

Others were not at the time of this presentation


Finding Vulnerable Software

Probably easier on Linux

Windows software more likely to be linked with OpenSSL without this being obvious

Uh oh!


Linux Command Line

@jekil posted a neat one-liner on Twitter

grep -l 'libssl.*deleted'

/proc/*/maps | tr -cd 0-9\\n | xargs

-r ps u

Finds running processes that still have old (deleted) OpenSSL libraries mapped

But what if I havent patched yet?

Um shame on you, go patch! Right now!


Linux Command Line (2)

Modified command line finds all processes that load OpenSSL at all

grep -l 'libssl' /proc/*/maps | tr -

cd 0-9\\n | xargs -r ps


Linux Command Line (3)

Some bad developers may not include correct versioning in the names of their libraries


Good List of Impacted Vendors

Best list Ive found so far is at ISC

https://isc.sans.edu/forums/diary/Heartbleed+vendor+notifications/17929


Snort Detections

Looks for heartbeat codes and checks the size. Anything larger than 200 bytes is assumed bad


Will attackers use this?

Of course, they are probably using it already

MetaSploit already has a module to test for vulnerabilities

Client side attack server is probably not far behind

Planned to write an attack server today, but was too busy with clients


Questions?

Jake Williams

@MalwareJake