Go big or go home was certainly one mantra for bug hunters in 2014. While we had our usual slate of commodity SQL injection and buffer overflow vulnerabilities, 2014 will be remembered for the big one(s). Internet-wide vulnerabilities—primarily those in SSL—caused immense angst for admins who had to first find deployments of affected software, sometimes buried in embedded systems, and then wade through multiple patches before setting things right.
Heartbleed Makes Hearts Skip a Beat
The Heartbleed vulnerability disrupted a fine spring morning in April sending IT shops scurrying for OpenSSL deployments suddenly vulnerable to remote attack. Heartbleed was the first in a string of Internet-wide vulnerabilities that stained 2014—and it was the most serious given OpenSSL's ubiquity. Heartbleed, if exploited, revealed 64kb of memory that white- and black-hats quickly figured out how to attack to piece together crypto keys, credentials and other data crossing network traffic streams. The flaw put the integrity of OpenSSL in question and unmasked the myth that open source software packages are indeed less secure than their proprietary counterparts.
Heartbleed Exploits Cheap and Easy
Within a matter of days Heartbleed from a dangerous vulnerability in OpenSSL to one that was actively being exploited. Quickly, reports surfaced that organizations such as the Canada Revenue Agency were losing passwords and insurance data to Heartbleed exploits, while researcher Fedor Indutny was able to replay a Heartbleed attack two million times to piece together a private server key. While Indutny and other research teams were able to steal private keys as part of a controlled challenge from vendor CloudFlare, Swedish VPN company Mullvad independently reported that it was able to retrieve private keys from traffic moving through OpenVPN installations. The rush to patch OpenSSL was imperative.
Bash Vulnerability Was No Party
If Heartbleed made organizations nervous, the Bash vulnerability certainly shook them to their core a mere five months later. The critical flaw in Bourne Again Shell was present in most Linux and Unix distributions, as well as Apple Mac OS X. Bash allowed a hacker to remotely attach malicious executables to a Bash call, silently launching attacks against vulnerable webservers. The problem with Bash is that it was quietly present in so many software package that it was difficult to inventory, much less patch. And speaking of patches, the first sets of fixes emerged quickly from Red Hat and other Linux distributions, but were just as quickly deemed incomplete, sending organizations scrambling to uninstall and re-patch.
Shellshock Exploits Made Bash Threat Real
Less than 24 hours after the disclosure of the critical vulnerability in Bourne Again Shell, or Bash, reports of public exploits trickled in. Independent researcher Yinette, as well as AusCERT discovered bots exploiting the Bash vulnerability. The exploits were just as quickly dubbed Shellshock. Not to be left out, researchers at AlienVault Labs reported the discovery of two exploits caught in one of its honeypots, one a repurposed IRC bot trying to put together a DDoS botnet, the other an executable trying to steal system information and configuration data from compromised servers, also to build a DDoS botnet. Within a week, Google bug-hunter Michal Zalewski found two more vulnerabilities in Bash required a fresh set of eyes and patches.
Unleashed POODLE Keeps Up Assault on SSL
Researchers at Google dropped another Internet-wide problem in October with the disclosure of the POODLE attack against SSLv3 that would allow an attacker to recover plaintext communication supposedly thought to be safe. The POODLE attack relies on a shortcoming in SSLv3 wherein when a secure connection attempt fails, servers fall back to older protocols. Attackers can force the use of SSLv3, for example, by triggering a TLS connection failure and then running the POODLE attack to decrypt sensitive information. The best fix to counter POODLE is to disable the SSLv3 fallback feature in major browsers, something that Google and Microsoft did relatively quickly. The killer, however, came in early December when Google researchers confirmed that the POODLE attack also worked against some implementations of TLS. The onus now fell upon vendors running TLS in their products to produce patches in relatively short order.
Found: Missing Apple GoToFail Certificate Validation
Leave it to Apple to release a fix for a major certificate-validation vulnerability for a cold Friday night in February. What quickly became known as the Apple GoToFail bug was a security update to iOS that restored certificate validation checks that had been missing for some time in the mobile OS. Attackers sitting man-in-the-middle could pick off and decrypt communication on a network exploiting this vulnerability which treated bogus certificates as valid.
Apple Takes Bite Out of SSL
Not to be left out, Apple announced in April that it had patched a critical SSL vulnerability in its iOS and OS X operating systems. The triple-handshake vulnerability affected iOS 7.1.1 and OS X Mountain Lion and Mavericks and an attacker sitting man-in-the-middle could intercept traffic. With such a vulnerability, an attacker could establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other This came two months after Apple's infamous GoToFail bug.
GnuTLS Is No GoToFail, But It's Bad Too
Shortly after Apple's GoToFail vulnerability, open source SSL and TLS implementation GnuTLS also reported a critical certificate validation vulnerability. Sites and applications running GnuTLS were at risk for exploits using bogus digital certificates. GnuTLS did not correctly handle certain errors that could occur during certificate validation, causing it to report successful verification. Attackers with a specially crafted certificate could get that cert accepted as valid and allow an attacker to forge a domain and make it appear trusted to the requestor. While not at the scale of Apple's GoToFail bug, more than 350 software packages used GnuTLS crypto libraries, as did some Linux distributions, and other core libraries such as libcrypt, libmailtutils and cURL.
sChannel Flaw Brings Microsoft into the SSL Fold
Buried among the November Patch Tuesday security bulletins issued by Microsoft was a patch for Secure Channel, also known as sChannel. The technology is in every supported version of Windows, and is used to implement SSL and TLS. The sChannel bug was the latest woe in crypto technology and its widespread use in Windows put a lot of people on edge. The vulnerability was remotely exploitable and could be used to attack servers. Complicating matters less than a week later were reports from some users who said the patch was causing TLS negotiations to fail.