Heartbleed can be patched, and passwords can be changed. But can you steal private keys by taking advantage of the Internet-wide bug in OpenSSL?
Yes, but it’s difficult.
Stealing private server SSL keys are a real pot at the end of a rainbow for criminal hackers and intelligence agencies alike. Private keys bring unfettered access to Web traffic, and you can be sure that if someone has been able to steal them, they’re not going to crow about it on Twitter or Full Disclosure.
In the meantime, companies running the vulnerable version of OpenSSL in their infrastructure need to assess the risks involved, and then decide whether it’s worth their time and resources to revoke existing certs and reissue new ones. And do you shut down services in the meantime? Again, another tough call some companies would have to make.
“The vulnerability has been out there for two years, so we don’t know who has been on it. But if someone has figured out how to steal private keys, they’re not going to go public about it,” said Marc Gaffan, cofounder of Incapsula.
Incapsula, an application delivery company that offers a range of web security services, patched its infrastructure and is in the process of replace every certificate on behalf of its customers. Gaffan said, adding that other companies with a similar zero tolerance for risk will do the same.
Stealing a private key using the Heartbleed bug, however, is easier said than done. Researchers at CloudFlare said it is possible to steal private keys, but to date they have been unable to successfully use Heartbleed to do so.
“Note, that is not the same as saying it is impossible to use Heartbleed to get private keys. We do not yet feel comfortable saying that,” said CloudFlare’s Nick Sullivan. “However, if it is possible, it is at a minimum very hard. And we have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible.”
The Heartbleed vulnerability enables an attacker to retrieve the most 64KB of memory processed by a website running vulnerable versions of OpenSSL. Attackers that are able to replay an attack could steal sensitive data from a server, including credentials. Finding private keys is much more labor intensive and is dependent on multiple variables, including the timing of attacks. Incapsula’s Gaffan said a private key could be in memory 10 seconds before an attacker arrives, and gone when he’s there.
“It’s like looking for a needle in a haystack; it’s not always there and it’s not always deterministic where the needle, or private key, may be,” said Incapsula’s Gaffan. “Different scenarios cause memory to shape the way it does; that’s why there’s the potential for the private key to be there.”
If the heartbeat feature is enabled in OpenSSL, attacks against the Heartbleed vulnerability are undetectable, experts say.
“The request is a naïve request. It will not appear in a log as an attempt and it doesn’t leave a trace,” Gaffan said.
Mitigating Heartbleed is a process, starting with applying the patch to OpenSSL before revoking old certificates and installing new ones. Users, meanwhile, will likely have to change their passwords for a number of online services they use, but shouldn’t do so until they’re sure the service has done its part with regard to patching and updating certificates.
“Users need to be aware that this is going to be a longtail issue,” said Trustwave security manager John Miller. “There are bound to be more stories about this in the weeks and months to come.”
The Internet-wide implications of Heartbleed are still being fathomed. OpenSSL is likely to be running in any number of home networking gear, smartphone software and applications, and industrial control and SCADA systems.
“OpenSSL is probably less prevalent in ICS (since many don’t use any encryption at all). ICS backbone servers may be affected since those are more likely to use OpenSSL,” said Chris Sistrunk, senior consultant with Mandiant. “The risks of the Heartbleed vulnerability pale in comparison to the general fragility and lack of security features like authentication and encryption. Availability is still king and confidentiality is the least important. For those who do have OpenSSL, the patch may or may not be rolled out right away depending on the type of ICS. (Do we have to interrupt our batch in process etc to patch?)”
Adam Crain, a security researcher and founder of Automatak, cautioned that TLS is used in industrial control systems to wrap insecure protocols such as DNP3.
“Attackers can now read memory from these servers/clients. Futhermore, people sometimes use TLS wrapped DNP3/ICCP between entities over the internet,” Crain said. “A load-based DoS was always possible on these endpoints, but now it’s possible that encryption keys or other credentials could be lifted to infiltrate these systems.”