News
4/24/2014
08:00 AM
Chris Chapman
Chris Chapman
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

How To Detect Heartbleed Mutations

The nightmare of Heartbleed is not the chaos of fixing the bug. It's identifying hundreds, possibly thousands, of small mutations still hiding in the network.

By now, most of you must have started to implement or have already implemented the Heartbleed security patches on to your servers. Heartbleed, one of the biggest security exploits that the industry has experienced so far, exists in OpenSSL and affects the way TLS/DTLS Heartbeat packets are handled. This weakness allows the access to the memory contents of a connected client or server. This means that any web server using OpenSSL is a potential target -- roughly 66% of all websites.

The biggest nightmare for security managers and infrastructure vendors is not the chaos of trying to fix the vulnerability exposed by Heartbleed, but variations of the bug that are already in the network unbeknownst to them. The Heartbleed vulnerability will follow the classic pattern of mutation. There will be hundreds and possibly thousands of small but critically different variants, so patching the root attack will not stop the threat, and could lead to a false sense of security.

A security patch, by definition, closes a discrete set of security holes in a product. Attack mutations, may or may not fall within the scope of the patch. The point is you are never sure and will always play catch up. The key is to proactively and progressively test to defend against the Heatbleed mutations.

First step: Fuzzing analysis
The first step in testing for Heartbleed mutation is to perform a full fuzzing analysis of the server SSL stack. This will narrow down an infinite number of possibilities to a finite list of candidate breech points. In the case of the root vulnerability, the SSL client had the ability in the Heartbeat response to request greater than 64k bytes of data. A fuzzer would directly test this scenario and would find the vulnerability by using an OutofBounds method (which is automatically generated by the fuzzer). Once you identify the holes and patch them, you need to rerun fuzzing in conjunction with your specific mix of application protocols to measure if loading opens more holes, or patch mitigation lowers quality of experience.

The best approaches to gain assurance, is one-arm stateful SSL/TLS exhaustivel testing and with full realism. Two arm 'simulations' will not test your network's vulnerability to attack. SSL/TLS fuzzing will recursively test mutation holes exhaustively. True one-arm HTTPS with support for keys and certs, and stateful peering with your network allows you to test "what if" scenarios under deep realistic scale. Exhaustive testing treats the device under test (DUT) as a system which allows stately interaction with the system in a one-arm mode, providing the ability to peer into the protocol in question (i.e., SSL/TLS). In the case of fuzzing, it automatically walks thought the finite state machine of the protocol. No testing system is perfect, but one-arm exhaustive testing exposes the DUT to far more measured coverage and reduces the chance of exploitation.

Finding, fixing, and scanning for vulnerabilities needs to be an iterative process that cannot be left to vendors. IT teams can easily take control of their network security destiny with proactive and progressive testing.

Chris Chapman has more than 20 years of experience with multiprotocol and cloud networking technologies, with emphasis on systems root-cause analysis, quality of experience, performance, and scale realism testing for both IPv4 and IPv6. He has written and deployed ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
0xtero
50%
50%
0xtero,
User Rank: Apprentice
4/25/2014 | 11:07:57 AM
Re: Testing for Heartbleed mutations, anyone?
No because there is no such thing as Heatbleed mutation.

The Heartbleed bug is a missing boundary check in OpenSSL code - a library that implements TLS, it's not a flaw in the TLS protocol. 

Moving on to servers to test for "advanced mutations" makes no sense at all. Either the patch is applied or it isn't - there are no variants of it. The bug doesn't magially mutate to something else on it's own. There are no other attack vectors. It's not a protocol level flaw, it's flaw in one library that implements the protocol. Other SSL libraries are not vulnerable. This is OpenSSL bug only.

The article uses terminology (mutation, spreading) that also plays on the "heartbleed is a virus" fallacy and as such is not only inaccurate but also dangerously close to being pure FUD.

OpenSSL and other libraries most likely contain other bugs - and more rigorous testing is a very good idea, especially for components that are widely used(/embedded) in core infrastructure products. But that has nothing to do with Heartbleed, it's just common sense.

Heartbleed has caused a lot of panic and misinformation, let's not create any more of it.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/24/2014 | 4:15:01 PM
Testing for Heartbleed mutations, anyone?
Curious to know if anyone in the Dark Reading Community has moved beyond Heartbleed security patches on to servers to advanced testing for mutations....
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5314
Published: 2014-11-23
Buffer overflow in Cybozu Office 9 and 10 before 10.1.0, Mailwise 4 and 5 before 5.1.4, and Dezie 8 before 8.1.1 allows remote authenticated users to execute arbitrary code via e-mail messages.

CVE-2014-5325
Published: 2014-11-23
The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity refe...

CVE-2014-5326
Published: 2014-11-23
Cross-site scripting (XSS) vulnerability in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-6477
Published: 2014-11-23
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4...

CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?