The newly exposed Heartbleed bug plaguing some 17 percent of SSL-secured websites as well as various VPN products has caused a massive case of Internet heartburn over the past 48 hours as companies rushed to confirm their exposure and lock down their SSL/TLS software. But just how bad is it?
Errata Security CEO Robert Graham scanned the Net for machines vulnerable to the implementation flaw in the so-called Heartbeat function of TLS, and discovered some 600,000 affected out of 28 million SSL machines. He estimates that some one-third of SSL machines had been patched with the update to the buggy OpenSSL library. Netcraft, meanwhile, says the buggy Heartbeat extension is enabled on 17.5 percent of SSL sites, which include close to a half-million digital certificates at risk of theft and spoofing from the attack.
Heartbleed may be one of the biggest Internet security events since security expert Dan Kaminsky found and helped coordinate a fix for the massive Domain Name Service (DNS) caching vulnerability in 2008. Bruce Schneier gives Heartbleed an 11 rating on an ascending scale of 1 to 10, and security companies and experts are issuing warnings of the severity of the bug. The flaw, a two-year old implementation bug in the open-source OpenSSL, has been fixed with the new OpenSSL 1.0.1g, but experts say to assume it's already been abused by nation-states or cyber criminals given the two years it wasn't publicly known.
Fixing Heartbleed isn't cheap. The estimated cost to remedy the flaw is hundreds or thousands of dollars per server or application, according to Tatu Ylonen, inventor of the SSH protocol and CEO and founder of SSH Communications Security. That adds up to more than a billion dollars in overall labor and certificate renewal costs worldwide, Ylonen says.
The bug, in Versions 1.0.1 and 1.0.2 beta, leaks the contents of the memory from the server to the client and vice versa, potentially exposing passwords and other sensitive data and the SSL server's private key. While there have been reports of Yahoo passwords exposed by the bug and massive nefarious scanning for the flaw on the Net and signs of attacks since Heartbleed was revealed late Monday, there's still debate over just how easily exploitable the bug really is.
"Certainly, nation-states will have the best capability to quickly weaponize this vulnerability for large-scale exploitation," Schneier says.
Carrying out an attack using this flaw is not for script kiddies, experts say. It would take a nation-state or organized crime organization. "There are not enough skilled attackers with non-attributable networks to safely carry out large-scale collection efforts using this vulnerability," says security expert Ralph Logan, CEO of Kiku Software, a large data analytics software firm. For example, "In order to collect mail.yahoo.com uid:pass pairs using this vulnerability, you would need a giant non-attributable network larger than TOR, but TOR won't work in this case because we all know that it's attributable.
"Joe Hacker/single actor in the .ru still has to have a non-attributable network to infiltrate and exfiltrate large amounts of data across the web."
But the bad news now that the cat's out of the bag is that proofs-of-concept are out -- and some attacks are under way. Jaime Blasco, director of AlienVault Labs, says his firm has spotted scans for the flaw as well as brute-force attack attempts on some of its customers. "We have seen active attacks" in the past 48 hours, Blasco says.
Mozilla's former director of security assurance Michael Coates, now director of product security for Shape Security and chairman of OWASP, points out that the attacker must have access to network devices "along the communication" path of a user and a website. "In order to decrypt data exchanged between a user and a website, the attacker must have access to network devices along the communication path. This attack could most easily be launched by state actors, intelligence agencies, or criminal enterprises operating with collusion from network operators," Coates said today in a blog post.
An individual attacker could also target users on a shared WiFi hotspot with Heartbleed, he says.
As for concerns about attackers stealing a website's digital certificate via a Heartbleed attack, Errata's Graham contends that panic over private keys leaking is somewhat overblown. "In most [packaged] software, this cannot happen. That's because memory containing the private key is never freed, and hence allocated heartbleed buffers can never contain it," Graham said in a blog post today:
The upshot is this. What you can eavesdrop on with heartbleed hacks is dynamic stuff, stuff that was allocated only moments ago. What you probably can't get is static information. Certainly, you can't get any static information that hasn't been freed, and you probably can't get static information that was freed long ago, such as program startup. It's a great way to steal passwords from recent logins, but it's unlikely to give private keys. Certainly, there is some poorly written software that when it validates the SSL connection, copies the private key into a buffer, uses it, then frees the buffer. Thus, there certainly exists some software that reliably leaks the private key, it's just that on most software it's not possible.
Not all SSL servers are public Internet-facing, of course: Also at risk are internal intranet SSL servers that run internal corporate applications. And VPN software such as the open-source OpenVPN software was exposed but has since been patched.
"You need to change all certificates and keys," says Kevin Bocek, vice president, security strategy and threat intelligence, at Venafi. "What's inside the firewall is a lot more" lucrative to an attacker, he says.
"If I'm an advanced attacker, this is just a heyday. Now I can easily punch a server. I can get the keys and certs that allow me to [move] internally, which before would have taken a lot more effort. [Heartbleed] is also an internal concern."
Enterprises should confirm whether their servers and VPN products are vulnerable if they have not done so already, and if they are, update them and obtain new digital certificates to be safe. Once they've cleaned that up, then they should institute end-user password changes, experts say.
End users should change their passwords on websites that were vulnerable, but not until after they've been patched. "This particular vulnerability still exists in many locations, so changing your password may just mean that the new password is vulnerable," says Matt Willems, an engineer for LogRhythm Labs. "The best advice is to follow normal best-practices for online identity information. Change your passwords regularly, and if an online service says your information may be at risk, follow their directions."
Meanwhile, SANS Internet Storm Center is tracking software vendors that have updated their products here. And several free online scanning tools are available for testing SSL servers for the flaw, such as this and this.