UPDATE–Site operators and software vendors are scrambling to fix the OpenSSL heartbleed bug revealed Monday, a vulnerability that enables an attacker to extract 64 KB of memory per request from a server. Attacks can leak private keys, usernames and passwords and other sensitive data, and some large sites, including Yahoo Mail and others, are vulnerable right now.

The vulnerability exists in OpenSSL 1.0.1f and older versions and the maintainers released a patch for the flaw on Monday. However, now that the details of the vulnerability are public, researchers have begun digging into it and several tools have been published to test various domains to see whether they’re vulnerable. Some high-profile sites, including Yahoo Mail, Lastpass, the OpenSSL site and the main FBI site have been confirmed to leak certain information via the bug. There also is a proof-of-concept exploit for the flaw posted on Github.

Lastpass officials said that they patched the vulnerability Tuesday morning, and that user data was never at risk. The company was running a vulnerable version of OpenSSL, but had other security measures in place that mitigated the risk.

“However, LastPass is unique in that your data is also encrypted with a key that LastPass servers don’t have access to. Your sensitive data is never transmitted over SSL unencrypted – it’s already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers’ encrypted data due to our extra layers of protection. On the majority of the web, user data is not encrypted before being transmitted over SSL, hence the widespread concern,” the company said in a blog post.

“Also, LastPass has employed a feature called “perfect forward secrecy”. This ensures that when security keys are changed, past and future traffic also can’t be decrypted even when a particular security key is compromised. ”

The vulnerability lies in the way that OpenSSL handles the heartbeat extension in the TLS protocol.

A missing bounds check allows an attacker to read up to 64 KB of memory on a machine protected by OpenSSL.

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users,” a description of the vulnerability written by Codenomicon says.

OpenSSL is perhaps the most widely deployed SSL library and appears in a wide variety of applications, including a number of Linux distributions. Red Hat and Ubuntu already have issued patches for the vulnerability.

But the larger problem is that many SSL certificates could be compromised now, as the secret key that protects a given certificate could be disclosed in an attack on this vulnerability. The process of revoking and reissuing those certificates could go on for a long time, depending upon how many organizations realize their sites are vulnerable and how quickly they respond.

“It’s a nightmare vulnerability, since it potentially leaks your long term secret key — the one that corresponds with your server certificate. Worse, there’s no way to tell if you’ve been exploited. That means the prudent thing to do now is revoke your certificate and get a new one. We’ll see how many people do that,” said cryptographer Matthew Green, a professor at Johns Hopkins University.

The vulnerability in OpenSSL appears to have been introduced two years ago. A test site that enables users to enter domains to check their vulnerability status has been up since Monday.

Ivan Ristic, director of application security research at Qualys, said that the OpenSSL heartbleed flaw is potentially quite damaging for many organizations because of the ease of exploitation and the implications of a successful attack.

“This vulnerability is very easy to exploit. It’s very easy to build from scratch (starting with the OpenSSL diff), and there are also several tools that can be downloaded and used, in a matter of minutes,” Ristic said.

“According to the SSL Pulse statistics, about 32% of the servers in that data set support TLS 1.2. Chances are most of them run OpenSSL, and are thus vulnerable. So that’s a very large number of servers. Because this is so easy to exploit, we’re already seeing many attacks. Servers that did not have Forward Secrecy are the most vulnerable, because a serious adversary, who has a recording of the encrypted site traffic, might now be able to easily recover the site’s private key and use it to decrypt traffic retroactively.”

This article was updated on April 8 to include information from Lastpass.

Categories: Cryptography

Comments (9)

  1. Simon Iremonger
    3

    Question now is:
    What should CAs and the like do to help keep trust in this model, warn users / scan vuln pubilc https systems, at least?
    Sysadmins can patch their systems, but those revoking all their keys?

    One Gratis SSL vendor is insisting on charging extortionate regular “revocation” fee as per their terms, even in this exceptional circumstance, if they cared about security you might expect them to at least allow you to re-issue the cert on a new key+CSR for the remaining time-period, with-or-without CRL-listing-revocation. As it is they seem to be head-in-the-sand dont-care-about-security, encouraging others to take similar attitude?

    Interesting times!

    • Rick Romero
      4

      “One Gratis SSL vendor is insisting on charging extortionate regular “revocation” fee as per their terms, even in this exceptional circumstance, if they cared about security you might expect them to at least allow you to re-issue the cert on a new key+CSR for the remaining time-period, with-or-without CRL-listing-revocation.”

      Seriously? SSL Vendors are in it for the money, not the security. SSL CAs are there to verify the identity of the site the user is connecting to, yet they charge huge amounts of money for a wildcard cert vs a single host. No, there’s little concern for real security from CAs – they’re interested in ‘perceived’ security. They will just use this as scare tactics to create an “upgrade” path.

  2. Bob
    5

    Can browsers be updated to detect if the server is vulnerable, and not show the lock icon?

  3. SnoresLikeBuffalo
    7

    Is there an app users can run to test sites they frequent to see if those sites are vulnerable?

Comments are closed.