SECADV_20140407

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Abstract

Due to a missing / incorrect bounds check in the code it is possible to return chunks of memory from a TLS peer (client or server) by sending invalid requests which are incorrectly processed.

The memory returned may contain sensitive information such as the private key, account names and/or passwords.

Technical Details

Either party in an SSL/TLS channel can request a heartbeat response from the peer. This means a client can send a request to a server or a server can send a request to a client making each vulnerable to attach from the other end.

Solutions and Workarounds

• Upgrade to OpenSSL 1.0.1g.
  • This is the recommended option from the OpenSSL team.
• Rebuild your affected OpenSSL release with the heartbeat feature disabled
  • This is as simple as a recompilation with -DOPENSSL_NO_HEARTBEATS
• Block the heartbeat processing in your application code
  • heartbeat_block.c Example application code showing msg_cb use to block heartbeat

Detecting Vulnerability

• heartbleed.c Rob Stradling

• C code exampling using OpenSSL library to detect if a server is vulnerable. Requires completed handshake prior to sending invalid heartbeat probe.

• check-ssl-heartbleed.pl Steffen Ullrich

• Standalone perl script to detect if a server is vulnerable. Sends a ClientHello message and then an invalid heartbeat probe without waiting for the handshake to complete.

• heartbleed_test.c Mike Bland (git pull request)

• Regression / Unit Test Suite

• Testing For Reverse HeartBleed
• Cardiac Arrest

• Standalone Python script to detect if a server is vulnerable.

References

• HeartBleed CodeNomicon
• Cloudflare Challenge Writeup Jeremi M Gosney
• RedHat fix commit
• Timeline Mark J Cox
• Heartbleed disclosure timeline: who knew what and when Sydney Morning Herald
• Bugs in Heartbleed detection scripts