THE IMPACT OF HEARTBLEED Performed regular vulnerability scans - PowerPoint PPT Presentation

Πανεπιστήμιο Κύπρου - Τμήμα Πληροφορικής ΕΠΛ 682: Προχωρημένα Θέματα Ασυάλειας ΘΕΜΑ :B UGS Αδάμος Κουμή

T HE M ATTER OF H EARTBLEED U NDERSTANDING THE R EPRODUCIBILITY OF C ROWD - REPORTED S ECURITY V ULNERABILITIES

M EMORY E RROR V ULNERABILITY  Security vulnerability allows attackers to manipulate in-memory content to crash a program, or obtain unauthorized access to a system.  Memory error vulnerabilities such as ―Stack Overflows‖, ―Heap Overflows‖, and ―Use After Free‖ have been ranked among the most dangerous software errors. 3

T HE M ATTER OF H EARTBLEED *Z. Durumeric 1 , J. Kasten 1 ,D. Adrian 1 , J. A. Halderman 1 ,M. Bailey 1,2 ,*F. Li 3 , N. Weaver 3,4 , J. Amann 4 , J. Beekman 3 , M. Payer 3,5 , V. Paxson 3,4 1 University of Michigan , 2 University of Illinois, Urbana Champaign 3 EECS, University of California, Berkeley, 4 International Computer Science Institute, 5 Purdue University

T HE M ATTER OF H EARTBLEED  On April 7 2014, OpenSSL project publicly disclosed the Heartbleed vulnerability.  Β ug στην υλοποίηση του TLS Heartbeat Extension.  Vulnerability επέτρεπε στους επιτιθεμένους να διαβάσουν προστατευόμενη μνήμη από τους εξυπηρετητές( servers) αλλά και τους πελάτες( clients). 5

B ACKGROUND  OpenSSL: open-source cryptographic library that implements the SSL and TLS protocols  The Heartbeat Extension:  Either end-point of a TLS connection detects whether its peer is still present.  Motivated by the need for session management in Datagram TLS (DTLS).  Not require for Standard implementations of TLS(use tcp for session management ) 6

H EARTBEAT E XTENSION  Peers indicate support for the extension during the initial TLS handshake.  Following negotiation, either end-point can send a HeartbeatRequest message to verify connectivity. 7

N ORMAL H EARTBEAT Heartbeat Request 01 2 hi e7f0n2...... Type Length Payload Random padding Heartbeat Response 02 2 hi dc0n2...... Type Length Payload Random padding 8

H EARTBLEED V ULNERABILITY  OpenSSL Heartbeat Extension Vulnerability, allowed either end-point to read data following the payload message in its peer’s memory .  How?  Specifying a payload length larger than the amount of data in the message.  Bug : The peer trusts the attacker-specified length of an attacker-controlled message. 9

H EARTBLEED V ULNERABILITY Heartbeat Request 01 64kb hi e7f0n2...... Type Length Payload Random padding Attacker Heartbeat Response 02 64kb hi,username, private dc0n2...... cryptographic Keys…………….. Type Length Payload Random padding 10

H EARTBLEED T IMELINE  21 /03 Neel Mehta of Google discovers Heartbleed  21/03 Google patches OpenSSL on their servers  01/04 Google notifies the OpenSSL core team  02/04 Codenomicon independently discovers Heartbleed  03 /04 Codenomicon informs NCSC-FI National Cyber Security Centre Finland  06/04 OpenSSL notifies several Linux distributions  07/04 NCSC-FI notifies OpenSSL core team  07/04 OpenSSL releases version 1.0.1g and a security advisory 11  08/04 Al-Bassam scans the Alexa Top 10,000  09/04 University of Michigan begins scanning

S OLUTIONS  Patch: Discards the HeartbeatRequest, if the payload length field exceeds the length of the payload.  Recompile OpenSSL, with the handshake removed from the code by using compile time option -DOPENSSL_NO_HEARTBEATS. 12

THE IMPACT OF HEARTBLEED  Performed regular vulnerability scans against:  Alexa Top 1 Million domains 1% samples of the public, non-reserved IPv4 address space.   Every 8 hours. Between April 9 - June 4  Scanning Methodology  Modifying Zmap to send Heartbeat requests  with no payload  no padding,  zero length  TLS, DTLS these requests should be rejected.  Vulnerable versions of OpenSSL send a response containing only 13 padding.

S CANNING M ETHODOLOGY Heartbeat Request 01 0 Type Length (no (No padding) data) Heartbeat Response 02 0 dc0n2...... Type Length (no data) Random padding 14

A LEXA T OP 100 All of the Alexa Top 100 websites were patched within 48 • hours of disclosure. At least 44 of the Alexa Top 100 websites were vulnerable. • Combining press releases, Mashable’s report, and Al- Bassam’s scan  15

E STIMATING I NITIAL I MPACT  Upper bound 60% of HTTPS sites support the Heartbeat at most about extension 55% of the HTTPS sites in the Alexa Top 1 Million were 91% of these were initially vulnerable powered by known vulnerable web servers 16

E STIMATING I NITIAL I MPACT  Lower bound TLS 1.1 and 1.2 — features introduced in OpenSSL 1.0.1 with the Heartbeat Extension. At least about 24% of the HTTPS sites in the Alexa 32.6% sites supported TLS 1.1 or 1.2. Top 1 Million were initially vulnerable 72.7% used known vulnerable web servers 17  Estimate -> 24 – 55% of HTTPS servers in the Alexa Top 1 Million were initially vulnerable

V ULNERABLE D EVICES AND P RODUCTS  Heartbleed affected embedded systems.  Communication Servers : Zimbra collaboration iPECS VoIP systems, and Polycom and Cisco video conference products.  Software Control Panels : Puppet Enterprise Dashboard, IBM System X Integrated Management Modules control panel, VMWare servers, Parallels control panels for Plesk .  Network Attached Storage : QNAP, D-Link, ReadyNAS, LaCie, Synology, and Western Digital NAS devices.  Firewall and VPN Devices : Cisco, SonicWALL, WatchGuard, OpenVPN  Printers : Dell, Lexmark, Brother, HP printers.  Miscellaneous : Hikvision and SWANN security cameras , AcquiSuite 18 power monitors , SpeedLine Solutions ( Pizza POS System‖)

O THER I MPACTS  Mail Servers: Can use TLS for transport security via usage of a  StartTLS directive within a plaintext session.  Scanned a random 1% sample of IPv4 address space for vulnerable SMTP servers.  45% providing SMTP+TLS supported the Heartbeat Extension. 19  7.5% were vulnerable to Heartbleed.

O THER I MPACTS  Tor relays and bridges use OpenSSL to provide TLS- enabled inter-relay communication.  April 10 scan (3 days after announcement of the vulnerability)  Found that 97% of relays supported Heartbeat.  48% of the relays remained vulnerable at that time.  The vulnerability allowed an attacker to  extract both short-term onion and long-term identity keys.  intercept traffic and impersonate a relay.  Tor client Vulnerability allowing entry guards to read sensitive  information from a client’s memory , such as recently visited 20 websites.

O THER I MPACTS  Bitcoin Clients/ Exchanges  Bitcoin software from May 2012 to April 2014, used a vulnerable OpenSSL version.  After Heartbleed’s disclosure, a new Bitcoin version was released linking to the newly patched OpenSSL version.  Heartbleed allowed attackers to:  compromise wallets  retrieve private keys  12 customers had a total of 28 BTC ( ⇡ $6,500) stolen from 21 BTCJam after account credentials were compromised.

O THER I MPACTS  Android  Heartbleed only affected Android version 4.1.1.  Google estimated that 33.5% of all Android devices currently running Android 4.1.  A vulnerable device would have been susceptible to having memory read by a malicious server. 22

O THER I MPACTS  Wireless Networks  Extended Authentication Protocol  framework for wireless network Authentication use TLS  Heartbleed allowed attackers to retrieve network keys and user credentials from wireless clients and access points. 23

P ATCHING BEHAVIOR Alexa Top 1 Million sites patched within the first week , 24 the patch rate quickly dropped after two weeks.

C ERTIFICATE R EPLACEMENT  Heartbleed allowed attackers to extract private cryptographic keys.  Security community recommended that:  Administrators should generate new cryptographic keys  Revoke compromised certificates  To track which sites replaced certificates and cryptographic keys they combined data from  Heartbleed scans,  Michigan’s daily scans of the HTTPS ecosystem , 25  ICSI’s Certificate Notary service

C ERTIFICATE R EPLACEMENT  Less than 40% of Alexa Top 1 Million sites replaced certificates in the week following disclosure.  Only 10% of the sites that were vulnerable, 48 hours after disclosure replaced their certificates within the next month.  Of those that did, 14% re-used the same private key , gaining no actual protection by the replacement.  Only 19% of the vulnerable sites that did replace their certificates, revoked the original certificate in 26 the same time frame.

A TTACK SCENE  They analyzed who was scanning for the Heartbleed vulnerability by examining network traffic collected from passive taps at  Lawrence Berkeley National Laboratory (LBNL),  International Computer Science Institute (ICSI)  National Energy Research Scientific Computing Center (NERSC),  honeypot operated on Amazon EC2.  To detect Heartbleed scanning, they extended the Bro’s SSL/TLS analyzer to recognize Heartbeat messages 27