Heartbleed Overblown? Experts Test Seriousness Of OpenSSL Bug


A test set up to examine the risk posed by the Heartbleed bug found that hackers can gain the private server certificate keys, confirming the danger posed by the open-source vulnerability.

Cloud-based website security firm CloudFlare set up a valid website and challenged hackers to conduct attacks to retrieve the secret keys. The firm said it took about nine hours before the private keys were uncovered by two hackers. The two hackers sent millions of malicious requests exploiting the Heartbleed error over the course of the day to gain access to the secret keys.

If attackers hold the private digital certificate key, they can spoof the website, a useful technique that supports a variety of attacks, said Rob Dixon, a principal security consultant at Denver-based systems integrator Accuvant.

[Related: Love Hurts: 12 Networking Vendors Hit By Heartbleed]

"We've seen memory dumps and information that we might consider sensitive, but my understanding is that this is completely random or just the last few bytes on the memory stack," Dixon said.

Still, Dixon and other security experts are calling Heartbeat a dangerous bug that system administrators need to immediately address. The OpenSSL bug has gained widespread attention for giving an attacker up to 64K of a Web server’s working memory. The chunk of random memory contains a variety of data and could include passwords, prompting a call from security experts for Internet users to change their passwords for popular websites and cloud-based services.

The flawed OpenSSL implementation also is used in many network security products, including security appliances, and routers and switches. The manufacturers of the products are issuing updates to repair the flaw, but the flaw is typically in management consoles that are not Internet-facing, Dixon said. Some devices also carry and maintain much less information in memory, he said.

"From my experience in performing pen tests and vulnerability assessments, it is common to see a lot of third-party patches that are behind on this underlying infrastructure, and being behind in patching may have helped some companies in this case," Dixon said.  

Security experts are far more concerned about the private server certificate keys, calling on system administrators to deploy the OpenSSL patch and go through the process of revoking and reissuing server certificates. The two popular open-source Web servers, Nginx and Apache, are said to support hundreds of thousands of websites and services.

CloudFlare said it was among a group of companies that received early warning about the vulnerability, giving it time to patch its systems before the public patch release last week. Akamai Technologies used a custom memory allocation scheme to reduce the likelihood that private keys would be exposed, but the firm said it still is rotating its customer SSL keys as a precaution. The company's custom update wasn't 100 percent foolproof, said Andy Ellis, chief security officer at Akamai, in a blog post.

"While we believe that the likelihood of compromise is vanishingly small, and the number of exposed certificates tiny, we cannot rule out that it could have happened," Ellis wrote. "We will therefore proceed with rotating customer SSL keys that had even this marginal elevation in risk."

Meanwhile, the National Security Agency has issued a flat denial that it knew about the OpenSSL flaw and used it to support its surveillance activities. A Bloomberg report on Friday cited two unidentified sources that said the NSA exploited the flaw over the last two years.

"Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report," according to a statement issued late Friday by the Office of the Director of National Intelligence. 

PUBLISHED APRIL 14, 2014