FBI Enters Heartbleed Alerts

Monday, April 14, 2014 @ 04:04 PM gHale


The OpenSSL issue continues gaining industry-wide review as ICS-CERT released an alert Saturday giving additional information on the issue.

The new information is the FBI provided additional Snort signatures, “Mitigation against Open Secure Socket Layer Heartbeat Extension Vulnerability.” In addition, Click here for Snort community rules.

Additional indicators of compromise are available on the Control Systems compartment of the US-CERT secure portal for owners and operators of critical infrastructure.

RELATED STORIES
FBI Snort Signatures for Heartbleed
Heartbleed Alert from ICS-CERT
Bypassing Heartbleed Bug
Flaw Found in TLS Protocol

It has been a busy week for the government body as they keep issuing new alearts giving more detail.

The vulnerability in OpenSSL Versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the transport layer security/datagram transport layer security (TLS/DTLS) heartbeat functionality that could disclose private/encrypted information to an attacker.

This vulnerability, called “Heartbleed” ended up discovered by a team of security engineers at Codenomicon and Neel Mehta of Google Security, who reported this vulnerability to the National Cyber Security Centre Finland (NCSC-FI) for vulnerability coordination and reporting to the OpenSSL team.

This report released without coordination with either the vendor or ICS-CERT. ICS-CERT is issuing this alert to provide early notice of the report and identify baseline mitigations for reducing risks to this and other cybersecurity attacks.

The report included vulnerability details and Proof of Concept (PoC) exploit code for the following vulnerability:

In the second report, ICS-CERT continued its reach out to the vendor community to bring awareness of the OpenSSL vulnerability (CVE-2014-0160). The following information should help the industry in making risk assessments of its environment to mitigate the threat of this exploit, according to ICS-CERT.

ICS-CERT is aware of reports of attempted exploitation and is in the process of confirming these reports. ICS-CERT continues to monitor the situation closely and encourages entities to report any and all incidents regarding this vulnerability to DHS.

A flaw in the implementation of OpenSSL (ver. 1.0.1 to 1.0.1f, and 1.0.2-beta1) could allow the private key used in Secure Sockets Layer (SSL) to end up exposed. An attacker could then decrypt and read any secure data passed on the network link.

CVE-2014-0160 is the case number assigned, which has a CVSS score of 6.4.

The vulnerability exists in the Heartbeat extension (RFC6520) to OpenSSL’s Transport Layer Security (TLS) and the Datagram Transport Layer Security (DTLS) protocols. The Heartbeat extension is functionally a “keep-alive” between end-users and the secure server. It works by sending periodic “data pulses” of 64 KB in size to the secure server and once the server receives that data; it reciprocates by resending the same data at the same size.

The out-of-bounds “read” vulnerability exists because the Heartbeat extension does not properly validate the data sent from the end-user. As a result, an attacker could send a specially crafted heartbeat request to the vulnerable server and obtain sensitive information stored in memory on the server. Furthermore, even though each heartbeat only allows requests to have a data size limited to 64 KB segments, it is possible to send repeated requests to retrieve more 64 KB segments, which could include encryption keys used for certificates, passwords, usernames, and even sensitive content that were stored at the time. An attacker could harvest enough data from the 64 KB segments to piece together larger groupings of information, which could help an attacker develop a broader understanding of the information acquired.

The following OpenSSL libraries suffer from the issue:

OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2-beta1 suffer from the issue.

OpenSSL Version 1.0.1g addressed and mitigated this vulnerability. Please contact your software vendor to check for availability of updates.

For developers, they should upgrade affected TLS/TDLS clients and servers to OpenSSL version 1.0.1g. Alternatively, affected versions of OpenSSL may be recompiled with the option “-DOPENSSL_NO_HEARTBEATS” to mitigate the vulnerability until an upgrade can be performed.

For asset owners and operators, they should contact equipment vendors for specific mitigation information as the implementations may vary. In addition, IDS signatures are available that may provide awareness of an attack of this nature occurring.



Leave a Reply

You must be logged in to post a comment.