The race is on to fix SSL-based websites and software in the wake of a newly revealed and dangerous flaw in the popular OpenSSL library for encrypting HTTP traffic, with nearly one-third of major websites potentially at risk.
OpenSSL released a patch yesterday for a read-overrun bug in its implementation of the Transport Layer Security protocol's "heartbeat" extension, an extension to the protocol that checks on the site to which it is connecting to ensure it's connected and can respond. If exploited, the bug leaks the contents of the memory from the server to the client and vice versa, potentially exposing passwords and other sensitive data and, most alarmingly, the SSL server's private key. OpenSSL Versions 1.0.1 and 1.0.2 beta are affected by the vulnerability, which was discovered by security researchers at Google and Codenomicon.
"This is very significant because the hack allows you to extract up to 64 kilobits of server memory at a time. So you submit some malformed request to the server, get 64 kbit/s of server memory and whatever is in that chunk of memory," Ivan Ristic, who heads up the SSL Labs at Qualys, told us. "By nature of things, it handles sensitive information, including the private key of the server. If you get that, you can impersonate the server."
SSL, which encrypts communications sessions on the web via websites, virtual private network, email, and instant messaging sessions, has become the battle cry of the privacy world in the wake of Edward Snowden's leaks of documents revealing controversial NSA surveillance programs. But most websites today do not use SSL -- or HTTP-S. Retailers, social networks, and other sites that handle sensitive user or financial information typically use SSL.
The SSL vulnerability may be the harbinger of things to come, now that Internet encryption is getting more attention and adoption, as researchers take a closer look at implementations. "It's clearly still better to have SSL... but the majority of the world does not," Ristic said. It's still much easier to attack sites not running SSL. "It's going to get worse before it gets better. These things are coming out because we are paying more attention to encryption, and now these things are coming to light."
Patching has been under way for many major operators and server vendors, including Debian, CentOS, RedHat, SUSE Linux, and Ubuntu, while others have been slower to update: as of this posting, Yahoo had not yet been updated for the flaw. "Many major websites have not been patched yet. It's difficult to do if you are running multiple devices that need to be patched for it -- you have to wait," Ristic said. "Someone with a large infrastructure may take some time to update. This is emergency patching all around the Internet."
To thwart attacks, experts say, organizations must either upgrade to the new OpenSSL 1.0.1g or recompile the library to disable the heartbeat function. The flaw is about two years old, and because any attack would be silent and undetected, experts recommend that organizations obtain new digital certificates.
"You may want to consider replacing SSL certificates if you are afraid that the exploit was already used against your site," Johannes Ullrich wrote in today's SANS Internet Storm Center Diary. "But the exploit is not limited to secret SSL key. All data in memory is potentially at risk."
The bug's exposure of the private SSL key is especially alarming to security experts. Meanwhile, multiple proof-of-concept tools are circulating online today and making it easy for attackers to exploit the Heartbleed bug.
"If they get the key, anyone who can intercept your communications can pretend to be the other end of the connection. So if you are connecting to your bank, do you want anyone reaching in and changing the dialog between you and the bank? So instead of asking for your balance, it transfers all of your money to hackers.us.com," for instance, said Andrew Ginter, industrial cybersecurity expert at Waterfall Security. "How realistic is it that anyone will intercept that communication? It's not that hard."
Jaime Blasco, director of AlienVault Labs, told us the flaw can be abused to steal, not only usernames and passwords, but also some elements of the application's source code. "The attack can be also combined with a man-in-the-middle attack to obtain credentials from the client before the server perform authentication."
Providers affected by the bug should not only patch but also replace their private keys and certificates for each of the services using the OpenSSL library, Blasco said.