Be Still My Bleeding Heart! Q&A on the HeartBleed Bug

Be Still My Bleeding Heart! Q&A on the HeartBleed Bug

What is it? 

It’s a bug in the method a server and you use to secure your communications back and forth. It is present when you see the little padlock in your browser and the URL begins with HTTPS.

Technical Explanation

It is a bug in OPEN SSL. It affects version 1.0.1 through 1.0.1f (inclusive), and it affects servers that run Apache and NGINX mostly. Open SSL is used in a lot of things and the complete list of what is affected has yet to be tabulated, so there’s probably other stuff too. Apache and NGINX are the important ones to start with.

What does it do?

It allows bad guys to get important secret info.

Technical Explanation

A malicious actor can use the heart beat feature in the vulnerable versions of OPEN SSL to read the servers live memory, 64k at a time, an unlimited number of times.

They can try to extract valuable information, such as username and passwords, or worse, the private key used in public/private keypair crypto from the data they collect. This is especially damning as the heartbeat channel typically isn’t monitored, so this attack leaves no traces.

Is it bad? 

Yes. The sky isn’t falling, but yes, it’s a bad one.

Technical Explanation

Most of the testing has been done in a controlled environment, against servers that the testers owned, so it may be different in the real world, but private information was successfully retrieved with this method.

A few brave souls have actually run POC code against servers they did not own, without the owners explicit permission. These people were able to retrieve some important information also, as well as opened themselves to all sorts of legal problems for performing free, unrequested, unauthorized penetration tests and kindly providing evidence that can be used against them on their blog. (We usually call that hacking, by the way.)

How can it be fixed? 

The Sysadmins of the affected servers need to fix this. It’s on them.

Technical Explanation

This needs to be addressed on a per server basis.

If the server is using a vulnerable version of Open SSL, the Sysadmin for that server needs to upgrade Open SSL to 1.0.1g or recompile it with the -DOPENSSL_NO_HEARTBEATS switch to disable the heart beat feature if upgrading isn’t an option. They should get all new certificates, and to be extra safe perform a password sweep, and recommend their users perform one as well.

Why did we not know sooner?

Open SSL is free and maintained by a small team of volunteers. Because it’s free, lots of people use it. Mistakes happen.

Technical Explanation

Open SSl is maintained by a small team of volunteers, who don’t get paid for their efforts. Maybe it would be time to fund them properly, seeing the large number of services that rely on Open SSL. Perhaps we should start looking at performing in depth code reviews of all open source projects that power the infrastructure of the web?

Recent events have confirmed that there are adversaries actively trying to weaken secure communications in order to ease their interception, regardless of the fact that it makes them easier to access by anybody

So What should I do? 

Addendum: Maybe wait until the service you use, that is affected, has addressed the issue.

Cnet has compiled a list that shows services that have patched/recompiled Open SSL: http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

As always, stay safe, and don’t hesitate to post questions in the comments.

@Jean_Taggart

ABOUT THE AUTHOR

Jean Taggart

Senior Security Researcher

Incorrigible technophile who loves to break stuff and habitually voids warranties.