The Heartbleed Bug struck the internet this week, but it was festering for two years before even being detected or reported. This is a major flaw, as Bruce Schneier put it, with its severity being an 11 out of 10. Read on to find out a bit more about it.
Heartbleed attacked a flaw in OpenSSL’s implementation of the TLS Heartbeat functionality. Heartbeat, the feature, is sort of just a ping for SSL. My client connection says “I’m sending you 64 KB of data, echo it back to me,” and if I sent 64 KB of data to a server running OpenSSL, it would send me the SAME 64 KB back. The flaw was when I would say I’m sending 64 KB of data, and only send 1 BYTE. It would send back 64 KB of a random chunk of its memory! So, if you hit it enough times with enough requests, you could eventually get the full contents of the server’s memory. It would have to be pieced together like a puzzle, but you could get it all.
The work to rebuild the contents of a server’s memory is a daunting task. If the server had even 1 GB of memory, as a hacker I’m looking at over 15,000 pieces of this puzzle, with MULTIPLE duplicates since there won’t be any way to specify which random block of memory you want next (it’s not up to you). Also, a server’s memory is constantly changing. So really, while this flaw was massive it is very difficult to do anything with the data.
However, a very patient hacker could gain information on every aspect of your site. They may have usernames and passwords, but most crucially, they could have the entire private keys of your SSL certificates. The recommendation out there is to get new keys. If you have SSL enabled and are running OpenSSL (typically on Linux / Apache), then you should get new certificates since your communication channel over SSL may have been compromised, and someone is reading every byte that gets communicated to your server.
The fix is to quickly patch OpenSSL. On affected servers here at Delphic, which are typically running CentOS, all that needed to be done was run the command “sudo yum update openssl” and the Heartbleed detection page immediately reported that the site was not vulnerable. Overall our affection rate was very very low, since we mostly run Microsoft servers.
Be careful out there!