Heartbleed Bug

1/8

This material was developed with funding from the National Science Foundation under Grant # DUE 1601612

Next

Restart

Back

transport layer security (TLS) a cryptographic protocol designed to provide security over a network end to end. 

secure socket layer (SSL) a cryptographic protocol designed to provide security over a network end to end.

Close 

2/8

OpenSSL

The Heartbleed bug is a vulnerability in the popular OpenSSL cryptographic software library. OpenSSL is the most popular open source cryptographic library and transport layer security (TLS) implementation used to encrypt traffic on the Internet. This weakness allows stealing the information protected, under normal conditions, by the secure socket layer (SSL)/TLS encryption used to secure Internet traffic. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

3/8

This bug was independently discovered by a team of security engineers at Codenomicon, and Neel Mehta of Google Security. Neel Mehta first reported the Heartbleed Bug to the OpenSSL team in 2014. The Codenomicon team found the bug while improving the SafeGuard feature in Codenomicon's Defensics security testing tools.

4/8

heartbeat is a periodic signal generated by hardware or software to indicate normal operation or to synchronize other parts of a computer system.

heartbeat request is functionality where either of the connected computers requests that a number of bytes of data that it sends to the other side be echoed back.

An important component of the TLS/SSL protocols is what's called a heartbeat. This heartbeat is how two computers communicating with one another let each other know that they are still connected even if there is no user traffic between them at that moment. One of the computers will send an encrypted piece of data, called a heartbeat request, to the other. To prove that the connection is still in place, the second computer will reply with the exact same encrypted piece of data.

The Heartbleed bug compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. This bug has gotten so much attention because it has left large amount of private keys and other secrets exposed to the Internet for a long period of time and it is so easily to exploit.

5/8

6/8

heatbeat reply is functionality where either of the connected computers echo back a number of bytes of data that were sent to it. 

Exploitation of this bug does not leave any trace of abnormalities within the log files. The content of heatbeat requests cannot be used to detect and block the bug. However, an attack may be detected by comparing the size of the heatbeat request against the size of the heatbeat reply since they both include information about its own length. This means that an intrusion detection systems (IDS) can be programmed to detect the attack, but not to block it, without blocking all heartbeat requests.

7/8

memcpy(bp, pl, payload);

The coding mistake that caused the Heartbleed bug can be traced to this single line of code. memcpy() is the command that copies data. bp is the place it's copying it to, pl is where it's being copied from, and payload is the length of the data being copied. The problem arrises from there never being any attempt to check if the amount of data in pl is equal to the value of payload. The fix is several lines of code in which the first piece makes sure that the heartbeat request isn't equal to 0 and the second piece checks to be sure that the heartbeat request is as long as it claims to be.

* Read type and payload length first */ if (1 + 2 + 16 > s->s3->relent) return 0; /* silently discard */ hbtype = *p++; n2s(p, payload); if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0; /* silently discard per RFC 6520 sec. 4 */ pl = p;

8/8

The best way to be protected from the Heartbleed bug is to adopt and deploy Fixed OpenSSL. Fixed OpenSSL has been released and to date most operating system vendors, appliance vendors, independent software vendors have adopted and deployed the fix, and notified their users. It is worth noting that there may still be those that haven’t adopted and deployed the fix, or whose SSL certificates have been compromised in the past and are in the possession of those who may look to exploit them.