Heartbleed
Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed.
Heartbleed was registered in the Common Vulnerabilities and Exposures database as. A fixed version of OpenSSL was released on 7 April 2014, on the same day Heartbleed was publicly disclosed.
TLS implementations other than OpenSSL, such as GnuTLS, Mozilla's Network Security Services, and the Windows platform implementation of TLS, were not affected because the defect existed in the OpenSSL's implementation of TLS rather than in the protocol itself.
System administrators were frequently slow to patch their systems., 1.5% of the 800,000 most popular TLS-enabled websites were still vulnerable to the bug, and by, 309,197 public web servers remained vulnerable. According to a report from Shodan, nearly 180,000 internet-connected devices were still vulnerable to the bug, but by, the number had dropped to 144,000 according to a search performed on shodan.io for the vulnerability. Around two years later,, Shodan reported that 91,063 devices were vulnerable. The U.S. had the most vulnerable devices, with 21,258, and the 10 countries with the most vulnerable devices had a total of 56,537 vulnerable devices. The remaining countries totaled 34,526 devices. The report also broke the devices down by 10 other categories such as organization, product, and service.
History
The Heartbeat extension for the Transport Layer Security and Datagram Transport Layer Security protocols was proposed as a standard in February 2012 by. It provides a way to test and keep alive secure communication links without the need to renegotiate the connection each time. In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at the Fachhochschule Münster, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL, his change was reviewed by Stephen N. Henson, one of OpenSSL's four core developers. Henson failed to notice a bug in Seggelmann's implementation, and introduced the flawed code into OpenSSL's source code repository on 31 December 2011. The defect spread with the release of OpenSSL version 1.0.1 on 14 March 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable.Discovery
According to Mark J. Cox of OpenSSL, Neel Mehta of Google's security team privately reported Heartbleed to the OpenSSL team on 1 April 2014 11:09 UTC.The bug was named by an engineer at Synopsys Software Integrity Group, a Finnish cyber security company that also created the bleeding heart logo, designed by a Finnish graphic designer Leena Kurjenniska, and launched an informational website, heartbleed.com. While Google's security team reported Heartbleed to OpenSSL first, both Google and Codenomicon discovered it independently at approximately the same time. Codenomicon reports 3 April 2014 as their date of discovery and their date of notification of for vulnerability coordination.
At the time of disclosure, some 17% of the Internet's secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers' private keys and users' session cookies and passwords. The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug "catastrophic". Forbes cybersecurity columnist Joseph Steinberg wrote:
An unidentified UK Cabinet Office spokesman recommended that: On the day of disclosure, The Tor Project advised:
The Sydney Morning Herald published a timeline of the discovery on 15 April 2014, showing that some organizations had been able to patch the bug before its public disclosure. In some cases, it is not clear how they found out.
Bugfix and deployment
Bodo Möller and Adam Langley of Google prepared the fix for Heartbleed. The resulting patch was added to Red Hat's issue tracker on 21 March 2014. Stephen N. Henson applied the fix to OpenSSL's version control system on 7 April. The first fixed version, 1.0.1g, was released on the same day., 309,197 public web servers remained vulnerable., according to a report from Shodan, nearly 180,000 internet-connected devices were still vulnerable. The number had dropped to 144,000 as of 2017, according to a search on shodan.io for "vuln:cve-2014-0160".Certificate renewal and revocation
According to Netcraft, about 30,000 of the 500,000+ X.509 certificates which could have been compromised due to Heartbleed had been reissued by 11 April 2014, although fewer had been revoked.By 9 May 2014, only 43% of affected web sites had reissued their security certificates. In addition, 7% of the reissued security certificates used the potentially compromised keys. Netcraft stated:
eWeek said, " likely to remain a risk for months, if not years, to come."
Cloudflare revoked all TLS certificates and estimated that publishing its certificate revocation list would cost the issuer, GlobalSign, $400,000 per month that year.
Exploitation
The Canada Revenue Agency reported a theft of social insurance numbers belonging to 900 taxpayers, and said that they were accessed through an exploit of the bug during a 6-hour period on 8 April 2014. After the discovery of the attack, the agency shut down its website and extended the taxpayer filing deadline from 30 April to 5 May. The agency said it would provide credit protection services at no cost to anyone affected. On 16 April, the RCMP announced they had charged a computer science student in relation to the theft with unauthorized use of a computer and mischief in relation to data.The UK parenting site Mumsnet had several user accounts hijacked, and its CEO was impersonated. The site later published an explanation of the incident saying it was due to Heartbleed and the technical staff patched it promptly.
Anti-malware researchers also exploited Heartbleed to their own advantage in order to access secret forums used by cybercriminals. Studies were also conducted by deliberately setting up vulnerable machines. For example, on 12 April 2014, at least two independent researchers were able to steal private keys from an experimental server intentionally set up for that purpose by CloudFlare. Also, on 15 April 2014, J. Alex Halderman, a professor at University of Michigan, reported that his honeypot server, an intentionally vulnerable server designed to attract attacks in order to study them, had received numerous attacks originating from China. Halderman concluded that because it was a fairly obscure server, these attacks were probably sweeping attacks affecting large areas of the Internet.
In August 2014, it was made public that the Heartbleed vulnerability enabled hackers to steal security keys from Community Health Systems, the second-biggest for-profit U.S. hospital chain in the United States, compromising the confidentiality of 4.5 million patient records. The breach happened a week after Heartbleed was first made public.
Possible prior knowledge and exploitation
Many major web sites patched the bug or disabled the Heartbeat Extension within days of its announcement, but it is unclear whether potential attackers were aware of it earlier and to what extent it was exploited.Based on examinations of audit logs by researchers, it has been reported that some attackers may have exploited the flaw for at least five months before discovery and announcement. Errata Security pointed out that a widely used non-malicious program called Masscan, introduced six months before Heartbleed's disclosure, abruptly terminates the connection in the middle of handshaking in the same way as Heartbleed, generating the same server log messages, adding "Two new things producing the same error messages might seem like the two are correlated, but of course, they aren't."
According to Bloomberg News, two unnamed insider sources informed it that the United States' National Security Agency had been aware of the flaw since shortly after its appearance butinstead of reporting itkept it secret among other unreported zero-day vulnerabilities in order to exploit it for the NSA's own purposes. The NSA has denied this claim, as has Richard A. Clarke, a member of the National Intelligence Review Group on Intelligence and Communications Technologies that reviewed the United States' electronic surveillance policy; he told Reuters on 11 April 2014 that the NSA had not known of Heartbleed. The allegation prompted the American government to make, for the first time, a public statement on its zero-day vulnerabilities policy, accepting the recommendation of the review group's 2013 report that had asserted "in almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection", and saying that the decision to withhold should move from the NSA to the White House.
Behavior
The RFC 6520 Heartbeat Extension tests TLS/DTLS secure communication links by allowing a computer at one end of a connection to send a Heartbeat Request message, consisting of a payload, typically a text string, along with the payload's length as a 16-bit integer. The receiving computer then must send exactly the same payload back to the sender.The affected versions of OpenSSL allocate a memory buffer for the message to be returned based on the length field in the requesting message, without regard to the actual size of that message's payload. Because of this failure to do proper bounds checking, the message returned consists of the payload, possibly followed by whatever else happened to be in the allocated memory buffer.
Heartbleed is therefore exploited by sending a malformed heartbeat request with a small payload and large length field to the vulnerable party in order to elicit the victim's response, permitting attackers to read up to 64 kibibytes of the victim's memory that was likely to have been used previously by OpenSSL. Where a Heartbeat Request might ask a party to "send back the four-letter word 'bird, resulting in a response of "bird", a "Heartbleed Request" of "send back the 500-letter word 'bird would cause the victim to return "bird" followed by whatever 496 subsequent characters the victim happened to have in active memory. Attackers in this way could receive sensitive data, compromising the confidentiality of the victim's communications. Although an attacker has some control over the disclosed memory block's size, it has no control over its location, and therefore cannot choose what content is revealed.