Click here to Skip to main content
Click here to Skip to main content
Go to top

What is Heartbleed Bug and Its Solutions?

, 13 Apr 2014
Rate this:
Please Sign up or sign in to vote.
This tip describes what exactly is Heartbleed bug, how to exploit it and solutions of this bug.

Introduction

Since the last few days, Heartbleed trending on the internet and saying to the internet, I am evil. People are calling this bug as "Biggest Security Threat" to the internet. Some Websites called this bug "Catastrophic".

I was gawked to know that I was not safe since 2011 December since OpneSSL included Heartbeat Extension.

Background

This heartbleed bug is on the internet since 2011 December and it got fixed a week ago. First, it was found by Google Security team member NEEL MEHTA and a software firm called CODENOMICON. Codenomicon took the initiative about this bug and created a website for the information and solution of this bug, i.e., http://heartbleed.com.

Before diving into HeartBleed, I would like to tell you about why we need SSL (Secure Socket Layer) also known as TSL (Transport Security Layer).

Usually, we send the password, personal details, credit card details, selfie pics, social media posts over the internet .

To encrypt such details, we used HTTPS. To ensure any malicious person cannot intercept these details, we use OpenSSL, which is an open source software for the implementation of SSL on the web.

But all the SSL implemented HeartBeat extensions are vulnerable to HeartBleed. Through HeartBeat extension attacker can read the client/server memory (64KB at a time) .

What is Heartbeat Extension?

OpenSSL introduced an extension Heartbeat to keep the session alive for a longer time and to avoid reestablishment of sessions. Heartbeat introduced in OpenSSL with its 1.0.1 build release as defined in the RFC 6520 TLS/DTLS Heartbeat Extension. Heartbeat messages can be sent without authenticating with the server. For every request, there might be a Heartbeatrequest and a Heartbeatresponse.

What is Heartbleed?

YAY, you got the nerve - "Vulnerability in Hearbeat causes Heartbleed".

Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.

Are You Heartbleed Vulnurable ?

People have created the malicious script for heartbeat request and created many online checkers. Following are the websites where you can test whether your website is Heartbleed vulnerable or not.

How to Exploit Heartbleed Attack?

There are many available ways to exploit Heartbleed. Everyone has their proof of concepts.

Some of the ways that I liked are listed below:

Basically, using the idea of Heartbeat, a client can send a Heartbeatrequest and the server will have to respond with Heartbeatresponse.

The total length of a HeartbeatMessage(request/response) canNOT exceed 2^14 or max_fragment_length when negotiated as defined in [RFC6066]. So we are only able to leak 64 KB of memory and that could easily have usernames/password or any random information.

Which OpenSSL Versions are Vulnerable and Who is vulnerable to Heartbleed ?

Heartbleed is only exploited where vulnerable OpenSSL software has been installed. Vulnerable versions are:

  • 1.0.1
  • 1.0.1a,
  • 1.0.1b,
  • 1.0.1c,
  • 1.0.1d,
  • 1.0.1e,
  • 1.0.1f,
  • 1.0.2-beta1
  • OpenSSL is installed mostly on the Apache servers and nginx servers. According to Netcraft, half a million trusted websites are vulnerable to this Heartbleed Bug. Image Courtsey Netcraft : LINK

    Are Windows Server Safe ?

    Being a .NET developer, this is the first thing that came into my mind. Are the websites developed by me and deployed on the Windows server using IIS safe?

    According to Microsoft, they do not include OpenSSL and are not vulnerable to this Heartbleed. Microsoft has their own encryption component called SChannel (Abbreviated as Secure Channel). But those clients which are running softwares on OpenSSL instead of Schannel are vulnerable to this threat.

Solutions to Prevent Heartbleed Attack

Upgrade Your OpenSSL

Apply an upgrade to OpenSSL 1.0.1g. Contact your software vendor to apply an update for this.

Things to remember:

  1. Regenerate your secret keys (There might be a possibility that attacker already hacked your current secret key).
  2. Ask your users to change the password (I have received the official mail request from tumblr to change password).

Disable Heartbeat from Current Installed SSL

Steps to do it:

  1. Recompile your OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.
  2. Restart your Apache and nginx server to effect the above command.

I hope you liked this simple and straightforward article. I have a lot of insight about this bug. We can have a healthy discussion here regarding this bug.

References and Further Readings

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Sarvesh Kushwaha
Software Developer
India India
I do believe life is to help others ... So here i am .. in my spare time i learn new things of programming and try to help people with my knowledge .
I'm an energetic, self-motivated and hard-working Developer and Information Technology Professional with experience in projects, website design and development.
 
Visit My Technical Blog
Follow on   Twitter   Google+   LinkedIn

Comments and Discussions

 
Questionmy vote of 5 PinmemberGovindaraj Rangaraj13-Apr-14 7:58 
AnswerRe: my vote of 5 PinpremiumSarvesh Kushwaha13-Apr-14 11:01 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web04 | 2.8.140905.1 | Last Updated 13 Apr 2014
Article Copyright 2014 by Sarvesh Kushwaha
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid