[Update - read this post to see how Klocwork finds the bug]
By now, you’ve heard about the OpenSSL flaw that’s capturing the attention of anyone in the world that’s remotely connected with security. Known as “Heartbleed”, this vulnerability allows any enterprising individual to access memory within systems protected by certain versions of the OpenSSL cryptographic library. By accessing memory without authorization, data that you and your end-users care about, such as usernames, passwords, and credit card numbers, are potentially exposed. Given that Netcraft reports that nearly 66% of websites around the world use some form of SSL, this is a seriously bad problem.
What is it?
The flaw resides in the implementation of the security protocols of OpenSSL’s network transport layer, TLS/DTLS. By specification (RFC6520), these protocols use a heartbeat to verify that two ends of an SSL connection are still alive, using small packets of data. These packets contain up to 64kb of random server memory and this flaw, when exploited to trigger a buffer over-read, can be used to recover sensitive information. To get more data, the attacker simply sends more requests. The surprising thing is, this flaw comes down to a missing bounds check programming error.
Why should you care?
Web servers keep a lot of information in active memory, information that organizations and end-users do not want released to the public. Worse, this flaw is known to expose secure encryption keys that are stored in memory, making the very system that’s supposed to protect data vulnerable. Since OpenSSL use is so widespread, some estimate that Heartbleed will impact more than ninety percent of online communications.
The Big Picture
The severity and spread of Heartbleed underscores the need for software development teams to put a strong emphasis on code security. Using tools and best practices that root out potential vulnerabilities as early as possible is critical to delivering safe, secure software that reduces your risk in the open. Tools like static code analysis provide comprehensive security checks across your entire code base while open-source scanning products protect your enterprise against unknown liabilities. In fact, OpenLogic reports the Heartbleed flaw for any enterprise using, or considering the use of, the OpenSSL software package.