Πανεπιστήμιο Κύπρου - Τμήμα Πληροφορικής ΕΠΛ 682: Προχωρημένα Θέματα Ασυάλειας ΘΕΜΑ :B UGS Αδάμος Κουμή
T HE M ATTER OF H EARTBLEED U NDERSTANDING THE R EPRODUCIBILITY OF C ROWD - REPORTED S ECURITY V ULNERABILITIES
M EMORY E RROR V ULNERABILITY Security vulnerability allows attackers to manipulate in-memory content to crash a program, or obtain unauthorized access to a system. Memory error vulnerabilities such as ―Stack Overflows‖, ―Heap Overflows‖, and ―Use After Free‖ have been ranked among the most dangerous software errors. 3
T HE M ATTER OF H EARTBLEED *Z. Durumeric 1 , J. Kasten 1 ,D. Adrian 1 , J. A. Halderman 1 ,M. Bailey 1,2 ,*F. Li 3 , N. Weaver 3,4 , J. Amann 4 , J. Beekman 3 , M. Payer 3,5 , V. Paxson 3,4 1 University of Michigan , 2 University of Illinois, Urbana Champaign 3 EECS, University of California, Berkeley, 4 International Computer Science Institute, 5 Purdue University
T HE M ATTER OF H EARTBLEED On April 7 2014, OpenSSL project publicly disclosed the Heartbleed vulnerability. Β ug στην υλοποίηση του TLS Heartbeat Extension. Vulnerability επέτρεπε στους επιτιθεμένους να διαβάσουν προστατευόμενη μνήμη από τους εξυπηρετητές( servers) αλλά και τους πελάτες( clients). 5
B ACKGROUND OpenSSL: open-source cryptographic library that implements the SSL and TLS protocols The Heartbeat Extension: Either end-point of a TLS connection detects whether its peer is still present. Motivated by the need for session management in Datagram TLS (DTLS). Not require for Standard implementations of TLS(use tcp for session management ) 6
H EARTBEAT E XTENSION Peers indicate support for the extension during the initial TLS handshake. Following negotiation, either end-point can send a HeartbeatRequest message to verify connectivity. 7
N ORMAL H EARTBEAT Heartbeat Request 01 2 hi e7f0n2...... Type Length Payload Random padding Heartbeat Response 02 2 hi dc0n2...... Type Length Payload Random padding 8
H EARTBLEED V ULNERABILITY OpenSSL Heartbeat Extension Vulnerability, allowed either end-point to read data following the payload message in its peer’s memory . How? Specifying a payload length larger than the amount of data in the message. Bug : The peer trusts the attacker-specified length of an attacker-controlled message. 9
H EARTBLEED V ULNERABILITY Heartbeat Request 01 64kb hi e7f0n2...... Type Length Payload Random padding Attacker Heartbeat Response 02 64kb hi,username, private dc0n2...... cryptographic Keys…………….. Type Length Payload Random padding 10
H EARTBLEED T IMELINE 21 /03 Neel Mehta of Google discovers Heartbleed 21/03 Google patches OpenSSL on their servers 01/04 Google notifies the OpenSSL core team 02/04 Codenomicon independently discovers Heartbleed 03 /04 Codenomicon informs NCSC-FI National Cyber Security Centre Finland 06/04 OpenSSL notifies several Linux distributions 07/04 NCSC-FI notifies OpenSSL core team 07/04 OpenSSL releases version 1.0.1g and a security advisory 11 08/04 Al-Bassam scans the Alexa Top 10,000 09/04 University of Michigan begins scanning
S OLUTIONS Patch: Discards the HeartbeatRequest, if the payload length field exceeds the length of the payload. Recompile OpenSSL, with the handshake removed from the code by using compile time option -DOPENSSL_NO_HEARTBEATS. 12
THE IMPACT OF HEARTBLEED Performed regular vulnerability scans against: Alexa Top 1 Million domains 1% samples of the public, non-reserved IPv4 address space. Every 8 hours. Between April 9 - June 4 Scanning Methodology Modifying Zmap to send Heartbeat requests with no payload no padding, zero length TLS, DTLS these requests should be rejected. Vulnerable versions of OpenSSL send a response containing only 13 padding.
S CANNING M ETHODOLOGY Heartbeat Request 01 0 Type Length (no (No padding) data) Heartbeat Response 02 0 dc0n2...... Type Length (no data) Random padding 14
A LEXA T OP 100 All of the Alexa Top 100 websites were patched within 48 • hours of disclosure. At least 44 of the Alexa Top 100 websites were vulnerable. • Combining press releases, Mashable’s report, and Al- Bassam’s scan 15
E STIMATING I NITIAL I MPACT Upper bound 60% of HTTPS sites support the Heartbeat at most about extension 55% of the HTTPS sites in the Alexa Top 1 Million were 91% of these were initially vulnerable powered by known vulnerable web servers 16
E STIMATING I NITIAL I MPACT Lower bound TLS 1.1 and 1.2 — features introduced in OpenSSL 1.0.1 with the Heartbeat Extension. At least about 24% of the HTTPS sites in the Alexa 32.6% sites supported TLS 1.1 or 1.2. Top 1 Million were initially vulnerable 72.7% used known vulnerable web servers 17 Estimate -> 24 – 55% of HTTPS servers in the Alexa Top 1 Million were initially vulnerable
V ULNERABLE D EVICES AND P RODUCTS Heartbleed affected embedded systems. Communication Servers : Zimbra collaboration iPECS VoIP systems, and Polycom and Cisco video conference products. Software Control Panels : Puppet Enterprise Dashboard, IBM System X Integrated Management Modules control panel, VMWare servers, Parallels control panels for Plesk . Network Attached Storage : QNAP, D-Link, ReadyNAS, LaCie, Synology, and Western Digital NAS devices. Firewall and VPN Devices : Cisco, SonicWALL, WatchGuard, OpenVPN Printers : Dell, Lexmark, Brother, HP printers. Miscellaneous : Hikvision and SWANN security cameras , AcquiSuite 18 power monitors , SpeedLine Solutions ( Pizza POS System‖)
O THER I MPACTS Mail Servers: Can use TLS for transport security via usage of a StartTLS directive within a plaintext session. Scanned a random 1% sample of IPv4 address space for vulnerable SMTP servers. 45% providing SMTP+TLS supported the Heartbeat Extension. 19 7.5% were vulnerable to Heartbleed.
O THER I MPACTS Tor relays and bridges use OpenSSL to provide TLS- enabled inter-relay communication. April 10 scan (3 days after announcement of the vulnerability) Found that 97% of relays supported Heartbeat. 48% of the relays remained vulnerable at that time. The vulnerability allowed an attacker to extract both short-term onion and long-term identity keys. intercept traffic and impersonate a relay. Tor client Vulnerability allowing entry guards to read sensitive information from a client’s memory , such as recently visited 20 websites.
O THER I MPACTS Bitcoin Clients/ Exchanges Bitcoin software from May 2012 to April 2014, used a vulnerable OpenSSL version. After Heartbleed’s disclosure, a new Bitcoin version was released linking to the newly patched OpenSSL version. Heartbleed allowed attackers to: compromise wallets retrieve private keys 12 customers had a total of 28 BTC ( ⇡ $6,500) stolen from 21 BTCJam after account credentials were compromised.
O THER I MPACTS Android Heartbleed only affected Android version 4.1.1. Google estimated that 33.5% of all Android devices currently running Android 4.1. A vulnerable device would have been susceptible to having memory read by a malicious server. 22
O THER I MPACTS Wireless Networks Extended Authentication Protocol framework for wireless network Authentication use TLS Heartbleed allowed attackers to retrieve network keys and user credentials from wireless clients and access points. 23
P ATCHING BEHAVIOR Alexa Top 1 Million sites patched within the first week , 24 the patch rate quickly dropped after two weeks.
C ERTIFICATE R EPLACEMENT Heartbleed allowed attackers to extract private cryptographic keys. Security community recommended that: Administrators should generate new cryptographic keys Revoke compromised certificates To track which sites replaced certificates and cryptographic keys they combined data from Heartbleed scans, Michigan’s daily scans of the HTTPS ecosystem , 25 ICSI’s Certificate Notary service
C ERTIFICATE R EPLACEMENT Less than 40% of Alexa Top 1 Million sites replaced certificates in the week following disclosure. Only 10% of the sites that were vulnerable, 48 hours after disclosure replaced their certificates within the next month. Of those that did, 14% re-used the same private key , gaining no actual protection by the replacement. Only 19% of the vulnerable sites that did replace their certificates, revoked the original certificate in 26 the same time frame.
A TTACK SCENE They analyzed who was scanning for the Heartbleed vulnerability by examining network traffic collected from passive taps at Lawrence Berkeley National Laboratory (LBNL), International Computer Science Institute (ICSI) National Energy Research Scientific Computing Center (NERSC), honeypot operated on Amazon EC2. To detect Heartbleed scanning, they extended the Bro’s SSL/TLS analyzer to recognize Heartbeat messages 27
Recommend
More recommend
