The Heartbleed Bug


Published on

null Bangalore Chapter - June 2014 Meet

Published in: Education, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Heartbleed Bug

  1. 1. by Sharath Unni HEARTBLEED Bug
  2. 2. Contents Introduction to HTTP Why HTTP over SSL? Discovery of heartbleed OpenSSL heartbeat extension What exactly is bleeding? Protecting against heartbleed attacks A quick demo
  3. 3. A typical HTTP communication • I would like to open a connection • GET <file location> • Display response • Close connection • OK • Send page or error message • OK Client Server
  4. 4. Clear-text protocols When packages of data are sent out over the internet – a lot more can happen than you think!
  5. 5. Need for encryption SSL/TLS Provides authentication, confidentiality and integrity. Asymmetric encryption for key exchange (Public and Private keys) Pre-shared secret key between the client and server SHARED secret key – ensures that the message is private even if it is intercepted. OpenSSL - open source implementation of SSL and TLS protocols
  6. 6. Discovery of Heartbleed The bug was independently discovered by a team of security engineers (Riku,Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team on April 1, 2014 Massive SSL bug impacts Internet and its users According to Netcraft’s survey about 17.5% of SSL sites had heartbeat extension enabled (half a million) Affected versions - 1.0.1 and 1.0.2-beta including 1.0.1f and 1.0.2- beta1 (since March 2012) Apache and nginx servers typically run OpenSSL implementations
  7. 7. SSL heartbeat SSL heartbeats are defined in RFC6520 Similar to Connection Keep-alive in HTTP They can be sent without authenticating with the server A heartbeat is a message that is sent to the server just so the server can send it back.This lets a client know that the server is still connected and listening.
  8. 8. OpenSSL HeartBeat
  9. 9. Heartbleed (CVE-2014-0160) The vulnerability lies in the implementation of Heartbeat The memory is allocated from the payload + padding which is a user controlled value. (Buffer over-read)
  10. 10. OpenSSL heartbeat
  11. 11. So what if we can read the memory?
  12. 12. Metasploit extract of memory dump
  13. 13. Metasploit extract of memory dump
  14. 14. Protecting Private keys
  15. 15. What can we do about it? Remove the HeartBeat extension Upgrade to OpenSSL 1.0.1g Revocation of the old key pairs Force users to change their passwords User awareness
  16. 16. Thank you! @sharath_unni