If at first you don't succeed, call it version 1.0

Contact Me

Sarvesh Kushwaha
Email : sarveshkushwaha@outlook.com

Total Pageviews

Powered by Blogger.

Sunday 13 April 2014

What is Heartbleed bug and Its solutions ?


Introduction 
From last few days Heartbleed trending on the internet and saying to the internet, I am the evil. People are calling this bug as "Biggest Security Threat" to the internet. Some Websites called this bug "Catastrophic".
I was Gawked to know i was not safe since 2011 December Since OpneSSL included Heartbeat Extension.








Background
This heartbleed bug is on internet since 2011 December and it got fixed a week ago .First it was found by Google Security team member NEEL MEHTA and a software firm called CODENOMICON. Codenomicon took the initiative about this bug and created a website for the information and solution of this bug i.e http://heartbleed.com.

Why we Need SSL ?
Before getting dive into the HeartBleed , i would like to tell you about why we need SSL (Secure Cocket Layer) also known as TSL (Transport security layer).
Usually we send the password,personal details,credit card details, selfie pics, social media posts over the internet . 

To encrypt such details we used HTTPS. To ensure any malicious person can not intercept these details we use OpenSSL. Which is a open source software for the implementation of SSL on the web.

But all the SSL implemented HeartBeat extensions are vulnerable to HeartBleed. Through HeartBeat extension attacker can read the client/server memory(64kb at a time) .

What is Heartbeat Extension ?
OpenSSL introduced an extension Heartbeat to keep seesion alive for longer time and to avoid reestablishment of sessions. Heartbeat introduced in OpnSSL with its 1.0.1 build release as defined in the RFC 6520 TLS/DTLS Heartbeat Extension. Heartbeat messages can be sent without authenticating with the server.For every request there might be a Heartbeatrequest and a Heartbeatresponse.
What is Heartbleed ?
YAY you got the nerve - "Vulnerability in Hearbeat causes Heartbleed".
Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.
Are you Heartbleed Vulnurable ?
People have created the malicious script for heartbeat request and created many online checker .Following are the websites where you can test are your website is Heartbleed vulnerable or not.

How to exploit Heartbleed attack?
There are many available ways to exploit Heartbleed .Everyone has their proof of concepts .
Some of Ways liked by me :

Basically using idea of Heartbeat , client can send a Heartbeatrequest and server will have to respond with Heartbeatresponse.
The total length of a HeartbeatMessage(request/response) can NOT exceed 2^14 or max_fragment_length when negotiated as defined in [RFC6066]. So we are only able to leak 64 kb of memory and that could easily have usernames/password or any random information.
Which OpenSSL versions are vulnerable and Who are vulnerable to Heartbleed ?
Heartbleed is only exploit where vulnarable OpenSSL software has installed .Vulnerable versions are:
  •         1.0.1
  •          1.0.1a,
  •          1.0.1b,
  •          1.0.1c,
  •          1.0.1d,
  •          1.0.1e,
  •          1.0.1f,
  •          1.0.2-beta1. 


OpenSSL are installed mostly on the Apache servers and nginx servers. According to the Netcraft Half a million trusted websites are vulnerable to this Heartbleed Bug. Image Courtsey Netcraft :  LINK 


Are windows server safe ?
Being a .Net developer this is the first thing came into my mind, Are the websites developed by me and deployed on the Windows server using IIS are safe ?
According to the Microsoft they do not include OpenSSL and are not vulnerable to this Heartbleed. Microsoft has their own encryption component called SChannel (Abbreviated as Secure Channel) .But Those client which are running softwares on OpenSSL instead of  Schannel are vulnerable to this threat. 
Solutions to prevent Heartbleed attack :
Upgrade your OpenSSL : 
Apply an upgarde to OpenSSL 1.0.1g . Contact your software vendor to apply an update for this. 
Things to remember .
  1. Regenerate you Secret Keys(There might be possibility that attacker already hacked your cuurent secret key).
  2. Ask your users to change the password (I have receieved the offical mail request from tumblr to change password). 

Disable Heartbeat from Current installed SSL:
Steps to Do it :
  1.   Recompile your OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.
  2.  Restart your Apache and nginx server to effect the above command.  



I hope you liked this simple and straight article.I have insighted alot about this bug , we can have a healthy discussion here regarding this bug.
References and further readings:  




1 comment: