Heartbleed

cadandcookies · #1 10-04-2014, 23:37

In case you haven't heard, now is a really good time to go and change your passwords.

This article explains it better than I can-- maybe some of the network gurus around here have more details?

I didn't see a thread about it anywhere and figured it's probably relevant to a lot of the users here.

plnyyanks · #2 10-04-2014, 23:44

Quote:

Originally Posted by cadandcookies

maybe some of the network gurus around here have more details?

This specific exploit is actually not quite network related. It's more of a programming oversight (with huge implications). Basically, there's a part of the SSL protocol called the heartbeat, which allows for a connection to remain open over time - the client sends a little message to the server saying, "hey! don't kill my connection" and the server acknowledges it and sends some data back.

The way the protocol is defined, the client sends its packet of data and a number representing the size of that data as validation (something pretty common to do). However, openSSL doesn't check that the given size actually corresponds to the actual size of the payload - it just allocates a chuck of memory that sized and returns it. This means that if the user tells openSSL that the payload is bigger that it is, the server will actually dump a portion of its memory back (which can include things like private keys, passwords, etc.).

You can check the vulnerable code out here, and you can see it just does a memcpy and if you look at the surrounding code, those bounds aren't checked.

Quote:

/* Allocate memory for the response, size is 1 byte
* message type, plus 2 bytes payload length, plus
* payload, plus padding
*/
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
bp = buffer;
/* Enter response type, length and copy payload */
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);

Although the situation is different, the moral of the story remains the same...

cgmv123 · #3 11-04-2014, 09:24

MCMechTech · #4 11-04-2014, 13:29

You will want to be sure your web server has been updated to address the vulnerability before you change your passwords. Otherwise you could make the problem worse by exposing both the old and new password to an attack.

cadandcookies · #5 11-04-2014, 14:15

Quote:

Originally Posted by MCMechTech

You will want to be sure your web server has been updated to address the vulnerability before you change your passwords. Otherwise you could make the problem worse by exposing both the old and new password to an attack.

We had a security expert come in to my AP Computer Science class who recommended changing all passwords now, and then again in 3-4 weeks. The rationale being that some will have fixed it ASAP, but some will only get around to it later (or something along those lines).

Lucario · #6 11-04-2014, 14:22

Quote:

Originally Posted by cadandcookies

We had a security expert come in to my AP Computer Science class who recommended changing all passwords now, and then again in 3-4 weeks. The rationale being that some will have fixed it ASAP, but some will only get around to it later (or something along those lines).

https://lastpass.com/heartbleed/ actually has a web tool to check if the server's been patched. You can use this to check to see if its time to change your password.

Also, if you're a web-admin, you'll want to check your own site's SSL if you're doing anything sensitive- both the patch and a re-key has to be applied for you to be protected.

rich2202 · #7 11-04-2014, 14:37

Quote:

Originally Posted by plnyyanks

This specific exploit is actually not quite network related.

Now it is:

Quote:

Cisco and Juniper, two of the largest router and Internet equipment makers, said today that the vulnerability, which exposes encrypted data like passwords, is present in their routers, switches and firewalls.

http://www.komando.com/blog/247808/t...ery-very-worse

Lucario · #8 11-04-2014, 15:29

Quote:

Originally Posted by rich2202

Now it is:

Yep. Also, in Heartbleed-vulnerable routers, since almost all routers also act as a web server, SSL connections between it and clients (such as router management clients) are vulnerable to MITM (Man-In-The-Middle) attacks and decryption.

Chris_Ely · #9 11-04-2014, 19:28

Anyone know if CD is affected? The tool that Alan linked to is inconclusive.

Quote:

Originally Posted by LastPass

Unable to get HTTP headers for www.chiefdelphi.com
Site: www.chiefdelphi.com
Server software: Not reported
Was vulnerable: Possibly (might use OpenSSL, but we can't tell)
SSL Certificate: Unable to extract SSL information for that host

Pat Fairbank · #10 11-04-2014, 20:22

Quote:

Originally Posted by luckof13

Anyone know if CD is affected? The tool that Alan linked to is inconclusive.

Nope -- CD doesn't use SSL/HTTPS. Port 443 on chiefdelphi.com is blocked.

Joe Ross · #11 11-04-2014, 21:04

Quote:

Originally Posted by Pat Fairbank

Nope -- CD doesn't use SSL/HTTPS. Port 443 on chiefdelphi.com is blocked.

In other words, don't use an important password here.

alex.lew · #12 11-04-2014, 21:18

Quote:

Originally Posted by Joe Ross

In other words, don't use an important password here.

Is there any password that could be more important?

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: