Bleeding Heart SecOps
Heartbleed!!! A Response Timeline
Ryan Brown
Ryan Brown
Heartbleed (CVE-2013-0156) is one of the
Terrified yet?
"AWS is aware of the HeartBleed Bug (CVE-2014-0160) in OpenSSL and investigating any impact or required remediation. We will post back when we have more detail."
ErrataSec claimed that Heartbleed is actually unlikely to leak private keys
because to be leaked, the contents of some memory has to be freed first.
But...
ELB is multitenant, closed-source, and Amazon doesn't publish
specifics about the internals
Theoretically, an instance terminating SSL for mycorp.com could have then been
reconfigured, freeing the memory containing the *.mycorp.com key and exposing
that key to Heartbleed attacks on remaining tenants of the ELB
The real problem was heartbeating, a simple echo service. You send data (up to
64k) in a request, and the server copies that data into a buffer and sends it
as the response.
The catch is that that there are two "length" fields in the request.
You claim in one field that there is 64k of data, but in the other claim 0, and
you send 0.
Boom, you get the contents of 64k of recently freed memory.
The reason you get recently freed memory is because OpenSSL wrote their own
wrapper around malloc
.