Advisory Summary – OpenSSL
CSS 1404 – Serious security flaw in OpenSSL-based services Vulnerability
April 7, 2014
A serious security flaw, commonly referred to as “Heartbleed”, was announced in the OpenSSL library used by a wide range of secure services and operating systems. This flaw allows a remote user to access the memory on affected servers without authentication, potentially exposing SSL encryption keys and other encrypted data with no means of detecting a successful exploitation. Identifying vulnerable servers and addressing this flaw should be a high priority.
A critical security flaw was announced in OpenSSL version 1.0.1 through OpenSSL 1.0.1f on April 7, 2014.
This flaw allows an attacker to obtain 64kb chunks of a remote server’s memory through SSL/TLS heartbeat requests. No authentication is necessary, and multiple requests can be issued, potentially allowing an attacker to access arbitrary portions of a systems’ memory.
Gaining access to the memory contents of a compromised server could expose SSL encryption keys, user authentication credentials, and other data sent over secure SSL sessions. An attacker that obtains the SSL encryption keys for a service could potentially decrypt any previously collected, present, or future SSL sessions to the service using the compromised SSL key until a new key is issued.
OpenSSL is the library used by a wide range of software that use SSL such as Apache and nginx, which comprise 66% of all active sites on the Internet. OpenSSL is also a component in most Linux and BSD-based operating systems, or appliances/imbedded devices that utilize the Linux operating system.
Vulnerability ID: CVE-2014-0160
High Risk – CVSS 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Remote access of server memory
Since this issue affects the SSL service directly the affected services are typically going to be publicly accessible and could be exploited by any individual (or automated worm) via the Internet. Code modifications to the SSL libraries are relatively easy, making automated attack tools easy to develop if they are not already in the wild. Without any additional ability to currently identify if the service has been exploited, the potential risks to compromise are extremely high.
Identifying Vulnerable Installations
Cerberus Sentinel has developed a free tool that can be used to quickly identify affected servers that can be accessed here:
Unlike some of the other test platforms made available to test for this vulnerability, our platform simply validates that additional data was sent back indicating a successful compromise. This data is never displayed or stored on our servers to ensure it cannot be used for malicious purposes. This service can also be used to test mail and ftp services that support SSL through the “starttls” mechanism.
Software built using the vulnerable 1.0.1 versions (since March 14, 2012) is potentially affected. Microsoft servers should not be affected as they do not use OpenSLL natively, and the Apple operating systems appear to be using an older OpenSSL library that is also not affected. Many vendors, however, are still evaluating whether their software is affected.
Cerberus Sentinel recommends customers take immediate actions to identify if they have SSL-based services affected by this flaw, particularly any SSL-based web, mail, or VPN services exposed to the Internet. Any affected services should have the updated libraries installed, and new SSL keys generated as soon as possible.
As of April 8, 2014 Cerberus Sentinel has already seen evidence of major Linux distributions sending out automatic updates, so these should be rolled into production as soon as possible.
This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. More information regarding their findings and more details about this vulnerability can be found on their blog heartbleed.com.
Scott Miles, summarized these findings and developed the Cerberus Sentinel testing tool for this vulnerability.
Cerberus Advisory Contact: Scott Miles
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing and is subject to change without notice. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. The author is not liable for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.