The Heartbleed Bug
Upcoming SlideShare
Loading in...5
×
 

The Heartbleed Bug

on

  • 453 views

null Bangalore Chapter - June 2014 Meet

null Bangalore Chapter - June 2014 Meet

Statistics

Views

Total Views
453
Views on SlideShare
172
Embed Views
281

Actions

Likes
0
Downloads
17
Comments
0

1 Embed 281

http://null.co.in 281

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

The Heartbleed Bug The Heartbleed Bug Presentation Transcript

  • by Sharath Unni HEARTBLEED Bug
  • Contents Introduction to HTTP Why HTTP over SSL? Discovery of heartbleed OpenSSL heartbeat extension What exactly is bleeding? Protecting against heartbleed attacks A quick demo
  • A typical HTTP communication • I would like to open a connection • GET <file location> • Display response • Close connection • OK • Send page or error message • OK Client Server
  • Clear-text protocols When packages of data are sent out over the internet – a lot more can happen than you think!
  • Need for encryption SSL/TLS Provides authentication, confidentiality and integrity. Asymmetric encryption for key exchange (Public and Private keys) Pre-shared secret key between the client and server SHARED secret key – ensures that the message is private even if it is intercepted. OpenSSL - open source implementation of SSL and TLS protocols
  • Discovery of Heartbleed The bug was independently discovered by a team of security engineers (Riku,Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team on April 1, 2014 Massive SSL bug impacts Internet and its users According to Netcraft’s survey about 17.5% of SSL sites had heartbeat extension enabled (half a million) Affected versions - 1.0.1 and 1.0.2-beta including 1.0.1f and 1.0.2- beta1 (since March 2012) Apache and nginx servers typically run OpenSSL implementations
  • SSL heartbeat SSL heartbeats are defined in RFC6520 Similar to Connection Keep-alive in HTTP They can be sent without authenticating with the server A heartbeat is a message that is sent to the server just so the server can send it back.This lets a client know that the server is still connected and listening.
  • OpenSSL HeartBeat
  • Heartbleed (CVE-2014-0160) The vulnerability lies in the implementation of Heartbeat The memory is allocated from the payload + padding which is a user controlled value. (Buffer over-read)
  • OpenSSL heartbeat
  • So what if we can read the memory?
  • Metasploit extract of memory dump
  • Metasploit extract of memory dump
  • Protecting Private keys
  • What can we do about it? Remove the HeartBeat extension Upgrade to OpenSSL 1.0.1g Revocation of the old key pairs Force users to change their passwords User awareness
  • Thank you! @sharath_unni h4xorhead@gmail.com