What has been done to prevent another ‘heartbleed’ vulnerability?

image credit: wikipedia

What is the ‘Heartbleed’ vulnerability?

The heartbleed vulnerability was discovered in April 2014 and sent a wave of panic through the internet, especially large web servers with millions of users, as it left personal data of those users unprotencted and vulnerable to attack.

The reason for the vulnerability was a weakness in the OpenSSL open source code that was used for encryption. Under normal circumstances OpenSSL is a very secure piece of software but hackers found a bug in the system and exploited it.

The bug was part of the TLS/SSL protocols where the system automatically checks that the computers remain connected if there hasn’t been any communication/activity between them, such as uploading or downloading data.

This checking system is called a heartbeat and how it works is that one computer will send an encrypted request for a certain amount of data, say 30KB, and in return the other computer will store it in a memory buffer, read the encrypted information contained in it, then send back that exact 30KB worth of data.

Unfortunately, there was a flaw in this system just the the Whatsapp paypal ssl issues and the receiving computer never actually checked the size of the incoming encrypted data request. So what actually happened was a hacker could send a request of up to 64KB, but that request might only contain 20KB of data. This would cause the receiving computer to store it in a memory buffer just like before, however it would be allocation 64Kb for only 20KB of actually data.

When it returned the heartbeat check, it would send the original 20KB back with the other 44KB being attached from whatever was next in line in the memory banks of that computer. This could be anything from useless code, to actual names of accounts and passwords stored locally, not on cloud services.

Heartbleed Vulnerability Fix

Nobody really knows if the heartbleed vulnerability had been exploited before April 2014, or for how long if it had, but once it was clear that there was a problem, and that problem came down to only one line of code, it was an easy fix.

Patches to repair the flaw are free and readily available online. You can simply visit the OpenSSL website and download the latest update from there.

While most servers should have updated long ago, there is always the possibility that it has been overlooked by some and that the vulnerability is still there. If you are concerned, there are actual web based checkers that you can use where you simply add the URL into the checker and they will do a test for you to see if the heartbleed weakness is still there. A good one to use is Pentest-tools.com.

Lastly, if you discover that those vulnerabilities are still present on any server that you use, you would be wise to change your passwords. If you are aware that a server you are in charge of is vulnerable, you should renew the SSL certificates as well as updating to the latest OpenSSL version.

So what can be done to prevent another heartbleed vulnerability in the future?

There are a quite a few things actually, but I don’t want to bore you with a long list of techno jargon so I’ll just highlight one which I think should work best.

Released in 2012, Address Sanitizer is something that does an excellent job of detecting problems with memory buffers, such as over-writes and over-reads, and would have gone a long way to recognising the heartbleed bug.

This in combination with other security methods such as binary simulators and guard pages are our best chance of preventing such a bug from affecting our servers again.