Heartbleed: The latest on the OpenSSL bug

Heartbleed: The latest on the OpenSSL bug

on Apr 9, 14 • by Roy Sarkar • with 4 Comments

[Update - read this post to see how Klocwork finds the bug] By now, you’ve heard about the OpenSSL flaw that’s capturing the attention of anyone in the world that’s remotely connected with security. Known as “Heartbleed”, this vulnerability allows any enterprising individual to access memory within systems...

Home » Open Source » Heartbleed: The latest on the OpenSSL bug

[Update - read this post to see how Klocwork finds the bug]

By now, you’ve heard about the OpenSSL flaw that’s capturing the attention of anyone in the world that’s remotely connected with security. Known as “Heartbleed”, this vulnerability allows any enterprising individual to access memory within systems protected by certain versions of the OpenSSL cryptographic library. By accessing memory without authorization, data that you and your end-users care about, such as usernames, passwords, and credit card numbers, are potentially exposed. Given that Netcraft reports that nearly 66% of websites around the world use some form of SSL, this is a seriously bad problem.

What is it?

The flaw resides in the implementation of the security protocols of OpenSSL’s network transport layer, TLS/DTLS. By specification (RFC6520), these protocols use a heartbeat to verify that two ends of an SSL connection are still alive, using small packets of data. These packets contain up to 64kb of random server memory and this flaw, when exploited to trigger a buffer over-read, can be used to recover sensitive information. To get more data, the attacker simply sends more requests. The surprising thing is, this flaw comes down to a missing bounds check programming error.

Why should you care?

Web servers keep a lot of information in active memory, information that organizations and end-users do not want released to the public. Worse, this flaw is known to expose secure encryption keys that are stored in memory, making the very system that’s supposed to protect data vulnerable. Since OpenSSL use is so widespread, some estimate that Heartbleed will impact more than ninety percent of online communications.

The Big Picture

The severity and spread of Heartbleed underscores the need for software development teams to put a strong emphasis on code security. Using tools and best practices that root out potential vulnerabilities as early as possible is critical to delivering safe, secure software that reduces your risk in the open. Tools like static code analysis provide comprehensive security checks across your entire code base while open-source scanning products protect your enterprise against unknown liabilities. In fact, OpenLogic reports the Heartbleed flaw for any enterprise using, or considering the use of, the OpenSSL software package.

Learn more

Vulnerability summary in NIST’s National Vulnerability Database
Brian Krebs take on the flaw, with a way to test for the flaw yourself
Catch the Security Breach Before It’s Out of Reach webinar

Related Posts

4 Responses to Heartbleed: The latest on the OpenSSL bug

  1. Olivia Holzkamp says:

    Is it possible to find a bug like heartbleed with a static analysis tool? I mean, can the tool detect which size the input of a user can have? Or can the tool check if the buffer size is validated before memory is allocated?

  2. Mattias says:

    Do klocwork detect the heartblead bug if you run out through your tools?

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Scroll to top