Heartbleed

from Wikipedia, the free encyclopedia
Heartbleed logo

The Heartbleed bug is a serious program error in older versions of the OpenSSL open source library , which allows private data to be read from clients and servers via encrypted TLS connections . The bug affects OpenSSL versions 1.0.1 to 1.0.1f and was fixed with version 1.0.1g on April 7, 2014. A large part of the online services , including well-known websites as well as VoIP telephones, routers and network printers, were therefore vulnerable to attacks.

description

Pictorial representation of how Heartbleed works

The error is in the OpenSSL implementation of the Heartbeat extension for the TLS and DTLS encryption protocols . The heartbeat extension provides for a communication participant to send any amount of data ( payload and padding ) of up to 16  kbytes to the other side, which then sends back the payload part unchanged, which can periodically check whether the connection to the server is established still exists.

By default, compilers of the C programming language used for OpenSSL do not generate any code to automatically check the data length. If the programmer does not explicitly intercept such errors with additional program code, no check is carried out to determine whether the specified length of the data corresponds to the actual length of the data supplied. If the specified length is greater than the actual length, the OpenSSL implementation copies data from the heap into the output buffer beyond the end of the input buffer. Due to the lack of verification, an attacker can read up to 64 kB of the work memory of the remote station with a request . The attack can be carried out several times in a row to read more memory. In tests, among other things, it was possible to read out the private key of the server certificate , user names and passwords from servers .

Emergence

The source code with the error was added to the OpenSSL Git repository on December 31, 2011 by the only permanent employee of the OpenSSL team from the design branch and was first published on March 14, 2012 with OpenSSL version 1.0.1 . The code was previously developed by a student from the Münster University of Applied Sciences and the University of Duisburg-Essen as part of the preparatory work for his dissertation on the SCTP protocol and submitted as a draft to OpenSSL. It extends OpenSSL by a heartbeat procedure. The procedure was specified by the student and two co-authors in RFC 6520 and enables TLS and DTLS to query whether the other party can still be reached. So z. For example, the connection status of any NAT routers involved in OpenSSL communication is refreshed so that the connection is not deleted in the event of temporary inactivity. With DTLS, the heartbeat method can be used for Path MTU Discovery . In the dissertation, the programmer justifies design decisions in the heartbeat specification, including the use of the padding field as protection against known plain text attacks .

The security gap is read access beyond the limits of a data buffer ( buffer over-read ). In contrast to a buffer overflow , no data is written outside of the buffer limits. The programmer stated that he made an unintentional programming error and failed to test an input variable that reported the length of the buffer to be returned. His mistake was trivial, but serious. He also stated that his mistake was apparently not noticed because too few people actually check the OpenSSL code.

In this context, OpenBSD and OpenSSH developer Theo de Raadt described the OpenSSL team as not being responsible because it explicitly bypasses a security mechanism that would not have allowed this error during development for performance reasons. The OpenSSL team used its own functions for memory allocation ( malloc ) and memory allocation ( free ) and thus bypassed possible protective mechanisms of the operating system. The OpenSSL team pointed to insufficient resources as a structural problem in the development of the software and asked for financial support.

discovery

On April 7, 2014, the OpenSSL team issued a security notice stating that OpenSSL versions 1.0.1 up to and including 1.0.1f and 1.0.2-beta up to and including 1.0.2-beta1 were affected by the so-called Heartbleed bug . However, it is possible to compile OpenSSL without the faulty heartbeat component ( -DOPENSSL_NO_HEARTBEATS); a version compiled in this way was also immune to a Heartbleed attack.

The vulnerability existed for a total of 27 months until it was independently discovered and fixed by Antti Karjalainen ( Codenomicon , Oulu, Finland) and Neel Mehta ( Google Security). Before the error became known to the public, some providers were already informed and then secured their systems.

Effects

The cryptologist and security expert Bruce Schneier describes the scope of the Heartbleed bug as:

“Catastrophic is the right word. On the scale of 1 to 10, this is an 11. "

“Catastrophic is the right word. On a scale from 1 to 10 this is an 11. "

- Bruce Schneier

Decryption of archived data

Apart from possibly tapped access data (user names, passwords), data traffic recorded long before the error was discovered can be subsequently decrypted with the private key of the server certificate, provided the encryption was not protected with Perfect Forward Secrecy . In addition, man-in-the-middle attacks can be carried out with the private key of the server certificate , provided the server certificate has not yet expired or has been revoked. All services can be affected, such as e-mail traffic or encrypted chats, provided an affected OpenSSL version was used. SSH is not affected as it does not use TLS.

The tapping of data leaves hardly any traces on an attacked system. It is therefore not certain to what extent the error was exploited. There are indications of abuse in November 2013. The Bloomberg news agency reported, citing "two informed people", that the Heartbleed bug was used by the NSA practically from the start , but the NSA director's office immediately denied this. In a study published in September 2014, several security researchers came to the conclusion that there was no evidence that the bug was being exploited before it was published.

Decryption during the connection to the web server

The private keys of the server certificates and possibly other access data must be viewed as compromised. It was recommended to replace them. Security-conscious users should change their passwords. Due to the high number of systems affected, this also presented professional certificate providers with challenges in April 2014.

In the context of Heartbleed, the insufficient options for checking for withdrawn server certificates ( CRL and OCSP ) were pointed out.

Decryption of the connection establishment on VoIP telephones, network printers and routers

TLS connections are not only used to establish a secure connection to a web server. Also, VoIP phones, network printers and routers to authenticate variants of EAP use protocol are affected by the vulnerability. The Portuguese security expert Luis Grangeia used a concept example to show how private keys and certificate contents can be read out.

LibreSSL

In order to clean the source code of the OpenSSL library of unnecessary parts, the OpenBSD team created the fork LibreSSL . The source code has been adjusted by more than 90,000 lines (as of April 21, 2014).

Fixed other bugs

Due to the Heartbleed bug, the OpenSSL source code was checked more intensively in the period that followed, and so further gaps were discovered and closed in June 2014, including others from the programmer who also caused the Heartbleed bug.

Trivia

  • The Heartbleed bug resulted in a data theft from the Canadian tax office, in which social security numbers of 900 people were stolen within six hours . A 19-year-old teenager was arrested as the attacker.
  • Telecommunications manufacturer Cisco announced that some of its IP phone models have been affected by the Heartbleed bug.
  • Google's Android operating system was only affected in version 4.1.1 when the vulnerability became known.
  • The firmware updates provided to fix the Heartbleed bug resulted in a complete failure of some NAS models from Synology .
  • The webcomic xkcd explains the bug in its issue no.1354.
  • In contrast to OpenSSL, the alternative SSL libraries PolarSSL , GnuTLS , NSS and MatrixSSL were not affected by the Heartbleed vulnerability. In GnuTLS, however, a similar security vulnerability was discovered a short time later.
  • The Swedish metalcore band The Unguided dedicated a song to the Heartbleed bug on their album "And the Battle Royale".

Web links

Individual evidence

  1. R. Seggelmann, M. Tüxen, M. Williams: Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat extension ( RFC 6520 ) February 2012 found.
  2. This is how the Heartbleed exploit works
  3. existential type crisis: Diagnosis of the OpenSSL Heartbleed Bug ( Memento of April 9, 2014 in the Internet Archive ) detailed technical description, English, accessed on April 10, 2014.
  4. Password access: Heartbleed vulnerability with catastrophic consequences . Retrieved April 10, 2014.
  5. git-commit It is located there in the files ssl / d1_both.c ( Memento from September 1st, 2017 in the Internet Archive ) and ssl / t1_lib.c ( Memento from September 1st, 2017 in the Internet Archive )
  6. a b Robin Seggelmann. SCTP. Strategies to Secure End-To-End Communication , p. 66f. (PDF)
  7. R. Seggelmann, M. Tüxen, M. Williams: Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat extension ( RFC 6520 ) February 2012 found.
  8. ^ The programmer in the Sydney Morning Herald
  9. "Heartbleed" programmer speaks of an accident
  10. Theo De Raadt on Heartbleed ( Memento from April 11, 2014 in the Internet Archive )
  11. According to Heartbleed: OpenSSL Project Seeks Support.Retrieved April 16, 2014
  12. OpenSSL Security Advisory of April 7, 2014, accessed on April 10, 2014.
  13. The Heartbleed Bug English. Retrieved April 8, 2014.
  14. OpenSSL vulnerability: update recommended
  15. businessinsider.com
  16. How Codenomicon Found The Bug heartbleed Now plaguing The Internet English. Retrieved April 14, 2014.
  17. How Google and six Finns discovered "Heartbleed" at the same time. In: derStandard.at. April 13, 2014, accessed December 9, 2017 .
  18. bugfix
  19. Heartbleed disclosure timeline: who knew what and when English (accessed April 23, 2014).
  20. Update on the Heartbleed OpenSSL Vulnerability ( Memento from July 31, 2014 in the Internet Archive ) English (accessed on April 23, 2014).
  21. Heartbleed. schneier.com/blog; Retrieved April 11, 2014.
  22. golem.de
  23. The worst case scenario for encryption on the web: Horror bug in OpenSSL . Retrieved April 8, 2014.
  24. ↑ Read out keys with OpenSSL . Retrieved April 8, 2014.
  25. Traces of Heartbleed as early as November 2013. Accessed April 10, 2014.
  26. Spiegel Online from April 11, 2014: Internet security gap: NSA is said to have systematically exploited "Heartbleed" errors
  27. ^ Johannes Kuhn: Force of distrust. In: sueddeutsche.de . April 12, 2014, accessed October 13, 2018 .
  28. icontherecord.tumblr.com
  29. Heartbleed vulnerability was previously unknown. Retrieved September 15, 2014
  30. Heartbleed vulnerability: You need to change these passwords now. Accessed April 10, 2014.
  31. Heartbleed SSL-GAU: The country needs new certificates . Retrieved April 10, 2014.
  32. Withdrawal of certificates brings little. Retrieved on April 16, 2014
  33. Heartbleed and the SSL locking problem. Retrieved April 23, 2014
  34. Jörg Thoma: Heartbleed in WLAN routers.Retrieved on June 2, 2014
  35. OpenBSD team cleans up and forks OpenSSL. Retrieved April 23, 2014
  36. Seven in one go: OpenSSL closes security gaps. Accessed June 10, 2014
  37. Even more passion for OpenSSL. Accessed June 12, 2014
  38. Heartbleed: Data Theft from the Canadian Income Tax Office (accessed April 16, 2014).
  39. Teenager steals tax data via "Heartbleed" (accessed April 19, 2014).
  40. Many Cisco and Juniper Products Affected (Retrieved April 16, 2014).
  41. ^ Google Services Updated to Address OpenSSL CVE-2014-0160 (the Heartbleed bug) (Retrieved April 16, 2014).
  42. CVE-2014-0160 at MITER (English)
  43. Heartbleed bug fix paralyzes some NAS systems (accessed April 16, 2014).
  44. Webcomic XKCD of April 11, 2014: Heartbleed Explanation
  45. PolarSSL Security Advisory 2014-01
  46. How to stay protected for Heartbleed and other OpenSSL flaws
  47. ^ Heartbleed Poses Risk to Clients and the Internet of Things
  48. ^ MatrixSSL - Open Source Embedded SSL and TLS
  49. Linux hit by GnuTLS exploit, follows Heartbleed model
  50. The Unguided - Video premiere for “The Heartbleed Bug” • metal.de . In: metal.de . October 13, 2017 ( metal.de [accessed January 8, 2018]).