heartbleed bug vulnerability: discovery, impact and solution
Post on 08-May-2015
609 Views
Preview:
DESCRIPTION
TRANSCRIPT
Heartbleed Bug Vulnerability: Discovery,
Impact and SolutionRobin Alden, Rick Andrews,Bruce Morton, Jeremy Rowley, Wayne Thayer
The ExpertsRick AndrewsSenior Technical Director, Symantec CASC Member Jeremy Rowley
VP of Business Development, DigiCert CASC Member
Bruce MortonDirector, Certificate Services, Entrust CASC Member Robin Alden
Chief Technology Officer, Comodo CASC Member
Wayne ThayerVP & GM, Security Products, GoDaddyCASC Member
Join the Conversation
#CASChangout bit.ly/1jAQCtk
About the CA Security Council• Comprised of 7 leading global Certificate
Authorities• Committed to the exploration and promotion of
best practices that advance trusted SSL deployment and CA operations
• The CASC works collaboratively to improve understanding of critical policies and their potential impact on the internet infrastructure
• https://casecurity.org/
Topics
• What is Heartbleed?• Who is/was affected?• How can I tell if I’m at risk?• What steps should I take?• How have Certificate Authorities responded?• Conclusions
What is Heartbleed?
• Technical description• Origin of the name• Protocol bug or Implementation Error?• Did the NSA create this or exploit this?
Technical description• TLS Protocol extension ‘Heartbeat’ (RFC6520)• Heartbeat messages used to check a TLS server is reachable
and alive• Message says ‘Send me these N(=5) bytes “#CASC” if you’re
there’. Server replies “#CASC”• The vulnerability (Heartbleed) occurs when the ‘N’ doesn’t
match the length of the message. E.g. ‘Send me these N(=500) bytes “#CASC”’
• A vulnerable server sends back “#CASC” followed by 495 bytes of internal information, which could include the servers private key, someone else’s password and credit card number.
• The bad guy gets to try for as many chunks (of 495 bytes) as he likes.
Origin of the name Heartbleed
• The vulnerability was discovered at around the same time by Google (1st April) and Codenomicon (3rd April)
• Codenomicon gave Heartbleed its name and logo in order to contribute to public awareness of the issue.
• It worked!
Protocol bug or Implementation Error?
• RFC6520 specifies the Heartbeat message to have separate length and payload fields. This is not unusual in such protocols.
• The implementation doesn’t check that the length of data it is to return is the same as the length of the data that was supplied to it in the first place (i.e. 500 <> length("Hello")).
• It accepts the (short) inbound message ("Hello"), and then replies with 500 bytes inadvertently revealing some of its internal state.
• It is an implementation error.
Did the NSA create this or exploit this?• We don’t know!• A couple of reports of logs showing abuse of
Heartbleed before its announcement, but none of these seem to have been substantiated.
• There is currently no public evidence that the NSA (or anyone else) created this vulnerability.
• Human error seems the most likely explanation for it.• Although we don't think Heartbleed was exploited
before it was discovered (around 1st April 2014), to be safe we are acting as if it may have been exploited and that leads us to some of the recommendations we will be presenting later in this hangout.
Join the Conversation
#CASChangout bit.ly/1jAQCtk
Who is/was affected?
• Web sites large and small • Smart phones• CDNs• Internet Routers• Apps and Games• Wifi Routers• Embedded devices
Web sites large and small
• Netcraft reports ~17% of all web sites• Google– Search, Gmail, YouTube, Wallet, Play, Apps, App
Engine, AdWords, DoubleClick, Maps, Maps Engine and Earth
• Yahoo• Dropbox• Wikimedia (including Wikipedia)• Intuit TurboTax
Web sites large and small
Social Networking:•Facebook•Twitter•Tumblr•Pinterest•Reddit•Instagram
Tech sites:•Amazon Web Services•Ars Technica•GitHub•Sourceforge
Smart phones and tablets
• Android version 4.1.1 (Jelly Bean)– ~34% of Android installed base– Requires updates from device manufacturers and
carriers– Mostly HTC Evo, One S and One X
• Mobile apps– Bank, payment and shopping apps– Blackberry Secure Work Space and BBM Chat for
iOS and Android
CDNs
• Akamai• EdgeCast• Limelight• Fastly• CloudFlare• Incapsula
Internet Routers
• Cisco:– Unified Communication Manager (UCM) 10.0– MS200X Ethernet Access Switch
• F5• Juniper’s SSL VPN software• OpenVPN• Tor Project
Apps
• Password Managers including LastPass• LibreOffice• LogMeIn• McAfee anti-virus• Blackberry Link for Windows and Mac OS• Webex Messenger Service• Cisco Registered Envelope Service (CRES)• Games: Steam, Minecraft, Wargaming, League of
Legends, etc.
Wifi Routers
• Apple AirPort Extreme and AirPort Time Capsule base stations, only if they have Back to My Mac or Send Diagnostics enabled (Mac OS X, iPhone, iPad not directly affected)
Miscellaneous
• Several Cisco Unified IP Phones• Industrial Control Systems• Embedded devices
Join the Conversation
#CASChangout bit.ly/1jAQCtk
How do I tell if I’m at risk?
• Check your website: https://sslcheck.casecurity.org
• Was my website ever at risk?– Check with you hosting provider– Is it running Apache or Nginx?
• If so, is it still at risk?– Did you rekey your certificate after the site was patched?
How do I tell if I’m at risk?
• Your Certificate Authority:– Since Heartbleed is a vulnerability in the protocol, it did not directly
affect CA’s certificate issuing systems or their root certificates– Some CA’s websites were affected
• Check your CA’s website for information• If affected, they will have patched and rekeyed the certificate used on the site• If their website was affected, they may ask you to change your password
• Browsers and other Clients:– Mainstream browser not affected– Check with your vendors– Scrutinize any in-house software that uses OpenSSL– Test at https://reverseheartbleed.com
Does PFS Prevent Heartbleed?
• Perfect Forward Secrecy– Attribute of ECDHE cipher suites
• Session keys never sent across the network with PFS– Archives of encrypted traffic can’t be recovered
• But– Not all clients support PFS ciphers!– A compromised private key can still be used to intercept
traffic in real time!
Join the Conversation
#CASChangout bit.ly/1jAQCtk
What steps should I take to address the bug?
If you are running a web server, then inform, fix, rekey, reissue, revoke, re-inform •Inform users of your status•Fix the OpenSSL problem•Rekey server•Reissue install new certificate, revoke old certificate•Re-inform users and request passwords be changed•Perfect Forward Secrecy, Second–factor authentication, end-to-end encryption, hardening
What steps should I take to address the bug?
If you are a client (application or browser user)•Does your client software need an update?•Check for updates of software•Change passwords on sites that have been patched•Check for Heartbleed• CASC - https://sslcheck.casecurity.org• Netcraft plugin -
http://news.netcraft.com/archives/2014/04/17/netcraft-releases-heartbleed-indicator-for-chrome-firefox-and-opera.html
What steps should I take to address the bug?
Configure your browser to check for revoked certs
Response• CAs received same-day notice of the vulnerability
as customers (April 7, 2014)– CA keys are stored offline and not subject to
Heartbleed• Support increase to cover the extra volume• Outreach program to assist in corrective action• Most CAs offered a free revoke and replace plan
to account for the vulnerability• A lot of over-time with double the volume
Updates• Updated documentation, knowledge base
articles, etc• Email blast and telephone calls to customers• Enhanced tools to detect vulnerabilities– https://www.digicert.com/heartbleed-bug-
vulnerability.htm#getaccess– https://ssltools.websecurity.symantec.com/checker/
views/certCheck.jsp– https://sslcheck.globalsign.com/en_US– https://sslanalyzer.comodoca.com/heartbleed.html
Noteworthy• No Internet Slow Down– CRLs v. OCSP – Edge-based delivery
• Importance of Revocation – http://bit.ly/1kq1GNd– http://twit.tv/show/security-now/453– Coordinated Effort among Community– Accurate information– Remediation assistance– Positive feedback
Looking Ahead• Work with remaining web server operators• Push for MUST-STAPLE and turn on revocation• Continued outreach with device makers and
others
Conclusions• Heartbleed is not an issue with the SSL/TLS trust
system, but a problem of trust in a single software source
• OpenSSL has since received additional funding, but no software system is ever 100% secure
• Guidance on password policy still stands: don’t reuse passwords, change them often, etc.
• Revocation is a critical part of the SSL/TLS infrastructure
Join the Conversation
#CASChangout bit.ly/1jAQCtk
Contact Information
@CertCouncilcasecurity.orglinkedin.com/groups/Certificate-Authority-Security-Council-4852478/about
top related