Broken Hearted? A Practical Look at the Heartbleed Vulnerability
Posted by Jason Hill on 11 April 2014 07:45 PM
Following on from our previous Heartbleed post, there have been countless reports on the far-reaching scale of this critical security flaw along with numerous discussions as to what 'exactly' an attacker can gain from exploiting the vulnerability.
Given the online and 'connected' nature of modern society, security and trust are the fundamental requirements of any online transaction in which personal or confidential data is transmitted. All of us, both technical and non-technical, have come to rely on the 'padlock in the address bar' - an indication that the website is handling our data securely, be that credentials, emails, financial records or status updates, with protection handled by the SSL or TLS protocols. It comes as no surprise that when the very thing that should be protecting us is compromised, in this case a feature within OpenSSL, that the implications can be far and wide.
Contributors: Abel Toro, Jason Hill, Alex Watson
What does this all mean?
As with any organized attack and as described by our 7 Stages of Advanced Threats, target reconnaissance precedes all other stages and, in this case will commence with determining which sites are (still) vulnerable to this OpenSSL vulnerability. As expected, given the widespread media exposure and severity of this flaw, numerous 'proof-of-concept' (PoC) scripts have been developed and are widely available thus allowing anyone with a command-line and an internet connection to start probing web-servers. Once a vulnerable site has been located, a threat actor can attempt to exploit the vulnerability, in this case by sending a specially crafted heartbeat packet which, rather than the original intended use, requests a larger than expected response which subsequently reveals up-to an additional 64k of memory. Once received, the threat actor can then attempt to sift through the returned data looking for 'interesting' items that can be further leveraged, for example, credentials or session IDs which would allow them to gain unauthorized access to the site in question or even, as widely suggested, private cryptography keys which could be used to compromise or impersonate the identity of a trusted site or person.
In practice - Obtaining Alice's credentials?
Targeting a specific user may prove impractical for a threat actor, especially on larger 'well-used' sites. For example, if our threat actor wanted to steal Alice’s login credentials for a specific site they wouldn't be able to specifically target 'Alice' and would have to keep running the exploit over a protracted period in the hope of harvest credentials which may or may not contain 'Alice's'. On the other hand, if the target site was smaller, less frequented or if it was known when Alice was likely to authenticate, the threat actor may have a higher chance of success although they would still need to be in the right place at the right time.
Given this, if you're thinking of changing your credentials it may be pertinent to ensure that the site is not vulnerable to the exploit.
Grabbing user names and passwords are relatively easy, private keys are more difficult.
Our research has shown that getting usernames, passwords and session IDs is quite feasible for an attacker in a real life scenario. The credentials can be stolen very quickly, without a trace and without much technical expertise.
However, while it is theoretically possible to retrieve the server’s private key using the Heartbleed vulnerability, in the real-world this is much more difficult than the aforementioned compromise of user names and passwords. At the time of writing, we have only seen one known successful PoC which can fully or partially extract the private key which required somewhat perfect conditions (for the threat actor):
As detailed in our previous post, Websense strongly recommends mitigation actions such as regenerating private keys and revoking/reissuing certificates.
In order to demonstrate this vulnerability in a real-life scenario, Websense Security Labs conducted a brief practical analysis of the vulnerability by exploiting a test web-server in our lab environment.
Having scanned our test server and determined that it was vulnerable, it was trivial to start reviewing the returned memory results and arguably took under a minute to harvest credentials and gain access to that user’s account. However, as previously stated we needed to be in the right place at the right time and therefore required our victim to authenticate/interact with the website in order for their credentials to actually be 'in memory'.
Furthermore, confirming our earlier statement, so long as the server remained un-patched, it was possible to monitor password changes. This clearly highlights the need to exercise caution when interacting with vulnerable hosts such as in this example:
User changes an existing password to ‘secret1234’:
Which is subsequently exposed when exploited:
Through the use of session cookies, it is also practical for a threat actor to steal credentials even if the user is never prompted to login. Browsing to a site from an already established session is often common practice for web-based email and social network users:
Given this, is would be wise to avoid even browsing to vulnerable sites and system administrators should invalidate all session cookies. While a WordPress site on a vulnerable platform was used for testing purposes, other vulnerable sites are likely to exhibit similar results, albeit unlikely to be in such as clean and predictable manner. In this scenario we simulated a victim browsing to their favorite site and, as they know about the Heartbleed bug, they go onto change their password. Additionally, the use of sessions can expose your credentials so you're not safe just because a login page wasn't displayed.
Read more »
"Heartbleed" Vulnerability in OpenSSL (CVE-2014-0160) Could Lead To Data Theft
Posted by Carl Leonard on 09 April 2014 10:26 PM
Websense® Security Labs™ has been tracking news of a vulnerability in the implementation of OpenSSL which has far-reaching implications for it's users and those impacted by it's use.
The vulnerability, CVE-2014-0160, allows a remote attacker to read the memory of systems protected by vulnerable versions of OpenSSL. Data that may be stolen includes certificates, private keys, Personally Identifiable Information (PII) and any other sensitive data.
For those not familiar with OpenSSL it is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. It is deployed in many scenarios such as within email servers and VPN systems, and can be embedded within operating systems. Any such system using the vulnerable version of OpenSSL is thus vulnerable to exploitation.
The vulnerability exists in OpenSSL v1.0.1 through v1.0.1f (also v1.0.2-beta1). Please refer to http://www.openssl.org/news/vulnerabilities.html for detailed information.
Please note: an updated (fixed) version of OpenSSL is now available in v1.0.1g
Confirmation of this can be found on https://www.openssl.org/news/secadv_20140407.txt (in anticipation of the openssl website being under heavy load, we have provided a screenshot of their advice below):
We strongly recommend that you establish whether vulnerable instances of OpenSSL are used in your environment, and if so, you should upgrade OpenSSL, or the software that uses OpenSSL, immediately.
Codenomicon, recognised as one of the discovering parties, have provided detail on this vulnerability as well as other mitigation actions that you should consider, which include:
It is understood that web server logs will not show whether the vulnerability has been used, thus making an attack difficult to detect from that perspective.
Our ThreatSeeker® Intelligence Cloud has identified that numerous Proof Of Concept tools have been launched online that can be used to show whether a particular website is vulnerable to CVE-2014-0160. We have seen reports to suggest that upwards of 600 of the Top 10,000 websites (as ranked by Alexa) are still vulnerable.
Websense Security Labs will continue to monitor the impact of this vulnerability.
Read more »