News
4/24/2014
08:00 AM
Chris Chapman
Chris Chapman
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

How To Detect Heartbleed Mutations

The nightmare of Heartbleed is not the chaos of fixing the bug. It's identifying hundreds, possibly thousands, of small mutations still hiding in the network.

By now, most of you must have started to implement or have already implemented the Heartbleed security patches on to your servers. Heartbleed, one of the biggest security exploits that the industry has experienced so far, exists in OpenSSL and affects the way TLS/DTLS Heartbeat packets are handled. This weakness allows the access to the memory contents of a connected client or server. This means that any web server using OpenSSL is a potential target -- roughly 66% of all websites.

The biggest nightmare for security managers and infrastructure vendors is not the chaos of trying to fix the vulnerability exposed by Heartbleed, but variations of the bug that are already in the network unbeknownst to them. The Heartbleed vulnerability will follow the classic pattern of mutation. There will be hundreds and possibly thousands of small but critically different variants, so patching the root attack will not stop the threat, and could lead to a false sense of security.

A security patch, by definition, closes a discrete set of security holes in a product. Attack mutations, may or may not fall within the scope of the patch. The point is you are never sure and will always play catch up. The key is to proactively and progressively test to defend against the Heatbleed mutations.

First step: Fuzzing analysis
The first step in testing for Heartbleed mutation is to perform a full fuzzing analysis of the server SSL stack. This will narrow down an infinite number of possibilities to a finite list of candidate breech points. In the case of the root vulnerability, the SSL client had the ability in the Heartbeat response to request greater than 64k bytes of data. A fuzzer would directly test this scenario and would find the vulnerability by using an OutofBounds method (which is automatically generated by the fuzzer). Once you identify the holes and patch them, you need to rerun fuzzing in conjunction with your specific mix of application protocols to measure if loading opens more holes, or patch mitigation lowers quality of experience.

The best approaches to gain assurance, is one-arm stateful SSL/TLS exhaustivel testing and with full realism. Two arm 'simulations' will not test your network's vulnerability to attack. SSL/TLS fuzzing will recursively test mutation holes exhaustively. True one-arm HTTPS with support for keys and certs, and stateful peering with your network allows you to test "what if" scenarios under deep realistic scale. Exhaustive testing treats the device under test (DUT) as a system which allows stately interaction with the system in a one-arm mode, providing the ability to peer into the protocol in question (i.e., SSL/TLS). In the case of fuzzing, it automatically walks thought the finite state machine of the protocol. No testing system is perfect, but one-arm exhaustive testing exposes the DUT to far more measured coverage and reduces the chance of exploitation.

Finding, fixing, and scanning for vulnerabilities needs to be an iterative process that cannot be left to vendors. IT teams can easily take control of their network security destiny with proactive and progressive testing.

Chris Chapman has more than 20 years of experience with multiprotocol and cloud networking technologies, with emphasis on systems root-cause analysis, quality of experience, performance, and scale realism testing for both IPv4 and IPv6. He has written and deployed ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
0xtero
50%
50%
0xtero,
User Rank: Apprentice
4/25/2014 | 11:07:57 AM
Re: Testing for Heartbleed mutations, anyone?
No because there is no such thing as Heatbleed mutation.

The Heartbleed bug is a missing boundary check in OpenSSL code - a library that implements TLS, it's not a flaw in the TLS protocol. 

Moving on to servers to test for "advanced mutations" makes no sense at all. Either the patch is applied or it isn't - there are no variants of it. The bug doesn't magially mutate to something else on it's own. There are no other attack vectors. It's not a protocol level flaw, it's flaw in one library that implements the protocol. Other SSL libraries are not vulnerable. This is OpenSSL bug only.

The article uses terminology (mutation, spreading) that also plays on the "heartbleed is a virus" fallacy and as such is not only inaccurate but also dangerously close to being pure FUD.

OpenSSL and other libraries most likely contain other bugs - and more rigorous testing is a very good idea, especially for components that are widely used(/embedded) in core infrastructure products. But that has nothing to do with Heartbleed, it's just common sense.

Heartbleed has caused a lot of panic and misinformation, let's not create any more of it.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/24/2014 | 4:15:01 PM
Testing for Heartbleed mutations, anyone?
Curious to know if anyone in the Dark Reading Community has moved beyond Heartbleed security patches on to servers to advanced testing for mutations....
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5619
Published: 2014-09-29
The Sleuth Kit (TSK) 4.0.1 does not properly handle "." (dotfile) file system entries in FAT file systems and other file systems for which . is not a reserved name, which allows local users to hide activities it more difficult to conduct forensics activities, as demonstrated by Flame.

CVE-2012-5621
Published: 2014-09-29
lib/engine/components/opal/opal-call.cpp in ekiga before 4.0.0 allows remote attackers to cause a denial of service (crash) via an OPAL connection with a party name that contains invalid UTF-8 strings.

CVE-2012-6107
Published: 2014-09-29
Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2012-6110
Published: 2014-09-29
bcron-exec in bcron before 0.10 does not close file descriptors associated with temporary files when running a cron job, which allows local users to modify job files and send spam messages by accessing an open file descriptor.

CVE-2013-1874
Published: 2014-09-29
Untrusted search path vulnerability in csi in Chicken before 4.8.2 allows local users to execute arbitrary code via a Trojan horse .csirc in the current working directory.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.