Search This Blog

Powered by Blogger.

Blog Archive

Labels

OpenSSL vulnerability allows hackers to read 64k of memory on target server

A potentially critical security vulnerability in OpenSSL has been discovered that allows an attacker to read up to 64kilobytes of memory from the server running a vulnerable OpenSSL version.

HeartBleed: A potentially critical security vulnerability in OpenSSL has been discovered that allows an attacker to read up to 64kilobytes of memory from the server running a vulnerable OpenSSL version.

As a normal user, you may not aware what is OpenSSL.  It is cryptographic library which is used for encrypting communication between web server and users - used by plenty of websites including Google, Yahoo, Twitter.

The bug( CVE-2014-0160), dubbed as 'HeartBleed', was independently discovered by Neel Mehta from Google Security team and Codenomicon.  The bug appropriately named HeartBleed because vulnerability is located in HeartBeat extension and it leads to memory leak.

The attacker can read only up to 64k of memory during one iteration of the attack.  However, according to Heardbleed.com, an attacker can "keep reconnecting or during an active TLS connection keep requesting arbitrary number of 64 kilobyte chunks of memory content until enough secrets are revealed".

An attacker can retrieve the private key used for encrypting the communication that will allow to read all information passed to server and user like it wasn't encrypted at all.

How to fix it?
If your server is using OpenSSL 1.0.1 and 1.0.1f, then better upgrade to 1.0.1g. If you are using 1.0.0 and 0.9.8, you are not vulnerable to this bug.  As a temporary fix, users can remove HeartBeat extension by recompiling OpenSSL with -DOPENSSL_NO_HEARTBEATS

Check whether Your server is vulnerable or not:
"http://filippo.io/Heartbleed/" allows to find whether your server is vulnerable to this bug or not.

Details about the Bug:
TLS Heartbeat extension is to ping from one end to another end - a specific message with size of it is being sent from client to server and server responds with the same message.

But, if an attacker send a small size of data(Let's say 1 kilo byte) and claims it's large size(64k), then the server(running vulnerable OpenSSL) will respond with 1 kilo byte of attacker's data + 63 kilobytes of data read from memory of the server.

Technical details of this bug can be found here .(read only if you are good in 'C' program).

Here is POC script written in Python: https://gist.github.com/ixs/10116537

*Update:
Metasploit Module :
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb

Nessus Plugin:
http://www.tenable.com/plugins/index.php?view=single&id=73404

Nmap Script(NSE):
http://nmap.org/nsedoc/scripts/ssl-heartbleed.html

One should always be careful, when using pointers in C programming ;)
Share it:

Featured

Vulnerability