This specific exploit is actually not quite network related. It’s more of a programming oversight (with huge implications). Basically, there’s a part of the SSL protocol called the heartbeat, which allows for a connection to remain open over time - the client sends a little message to the server saying, “hey! don’t kill my connection” and the server acknowledges it and sends some data back.
The way the protocol is defined, the client sends its packet of data and a number representing the size of that data as validation (something pretty common to do). However, openSSL doesn’t check that the given size actually corresponds to the actual size of the payload - it just allocates a chuck of memory that sized and returns it. This means that if the user tells openSSL that the payload is bigger that it is, the server will actually dump a portion of its memory back (which can include things like private keys, passwords, etc.).
You can check the vulnerable code out here, and you can see it just does a memcpy and if you look at the surrounding code, those bounds aren’t checked.
/* Allocate memory for the response, size is 1 byte
message type, plus 2 bytes payload length, plus
payload, plus padding /
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
bp = buffer;
/ Enter response type, length and copy payload */
*bp++ = TLS1_HB_RESPONSE;
memcpy(bp, pl, payload);
Although the situation is different, the moral of the story remains the same…
You will want to be sure your web server has been updated to address the vulnerability before you change your passwords. Otherwise you could make the problem worse by exposing both the old and new password to an attack.
We had a security expert come in to my AP Computer Science class who recommended changing all passwords now, and then again in 3-4 weeks. The rationale being that some will have fixed it ASAP, but some will only get around to it later (or something along those lines).
Cisco and Juniper, two of the largest router and Internet equipment makers, said today that the vulnerability, which exposes encrypted data like passwords, is present in their routers, switches and firewalls.
Yep. Also, in Heartbleed-vulnerable routers, since almost all routers also act as a web server, SSL connections between it and clients (such as router management clients) are vulnerable to MITM (Man-In-The-Middle) attacks and decryption.