Research Paper: Heartbleed Vulnerability
Added on - 16 Sep 2019
Executive SummaryThe Heartbleed vulnerability was first detected in April 2014 and took the Internet by storm. Thevulnerability allowed the malevolent entities to read sensitive information from approximately 24-55% of popular HTTPS sites . The vulnerability is associated with OpenSSL (Open sourceprojects). The research paper includes the description of the Heartbleed vulnerability along with theparameters and the steps that are involved. Mitigation and remediation steps are also covered in thepaper.Technical DescriptionExploitation DescriptionThe Heartbleed Bug is one of the most severe vulnerabilities that are observed in the OpenSSLcryptographic software library. It provides the ability to the malevolent entities to steal the protectedinformation that is secured by the application of SSL/TLS encryption . The implementationversion 1.01 of OpenSSL and 1.02 beta versions, there are critical programming errors that mayexpose the confidential data sets. The systems that utilize these versions of OpenSSL can also facesecurity compromise as an outcome. The primary loophole has been detected in the Request/RespondTLS module under OpenSSL. These heartbeat requests can be manipulated by any entity using theInternet which may provide the ability to read through the system’s memory utilizing the vulnerableversions of OpenSSL. As a result, the secret keys that are used to protect the information sets, suchas user credentials, traffic encryption, service provider identity, etc. gets compromised. Themalicious entities get the opportunity to eavesdrop on the networks and acquire the information setsthrough the services or user. Impersonation attacks are given shape as a result .Attack VectorsAttackers benefit from the vulnerabilities that emerge due to heartbeat request message and theydevelop requests in such a manner that the server responds with the confidential and sensitive datasets. Impersonation of services or users is utilized to give shape to the attack. The following are theparameters that are involved in the Heartbeat Request Message.Payload: There is certain information that is included in itSize: The size of the payload is mentioned to information the server regarding the sameThe actual attack occurs in the following steps:Attacker validates and verifies that the target machine is on and is successfully running
Attacker develops a request message that has certain payload along with the fake size of thepayloadThe server or the target machine receives the request message that is transmitted by theattackerWhile the response message is created, the payload size is checked by the machine. Forinstance, in this case, it is 30, whereas the actual size is actually 4 bytes.The payload size is completed in the response message and the data sets from the heapmemory are acquired and transmitted. For instance, additional 26 bytes are transmitted in thiscase.Every server that utilizes OpenSSL makes use of its specific heap memory for data storage. Themajority of the data sets in this case include the sensitive and secure information that is stored at thetime of a session . For example, user credentials, secure keys for encryption and decryption,financial details of the user, etc. are stored. The same data is exposed during transmission asillustrated in the example above. If the malicious entities get hold of the historical data sets, then thesecurity keys may also be acquired which may be used to decrypt the information and data sets. Thismay have severe implications on the information security and privacy.MitigationIt is necessary that the vulnerable versions are upgraded to the secure OpenSSL 1.0.1g. There may beconfusions regarding the vulnerability of the application in terms of Heartbleed attacks. However,there are detector tools that have been developed to detect this vulnerability. If the application iffound as non-vulnerable then there will be no action required. However, if vulnerability is detected,upgrades and security patches shall be installed. All the services that make use of OpenSSL shall berestarted. Before any of the SSL or TLS application is access, a vulnerability check must beperformed as a mandatory step . Logging in to the impacted sites shall be avoided. The businesspartners and third-parties shall also be informed about the same.