Bleeding Heart SecOps

Heartbleed!!! A Response Timeline

Ryan Brown

Everyone's Hair is ON FIRE!!!

Heartbleed (CVE-2013-0156) is one of the

Who Was Vulnerable?

Terrified yet?

How Bad?

All of Exposed

"AWS is aware of the HeartBleed Bug (CVE-2014-0160) in OpenSSL and
investigating any impact or required remediation. We will post back when we
have more detail."

But ErrataSec Said....

ErrataSec claimed that Heartbleed is actually unlikely to leak private keys
because to be leaked, the contents of some memory has to be freed first.


ELB is multitenant, closed-source, and Amazon doesn't publish
specifics about the internals

Theoretically, an instance terminating SSL for could have then been
reconfigured, freeing the memory containing the * key and exposing
that key to Heartbleed attacks on remaining tenants of the ELB

The Good News


The real problem was heartbeating, a simple echo service. You send data (up to
64k) in a request, and the server copies that data into a buffer and sends it
as the response.

The catch is that that there are two "length" fields in the request.

You claim in one field that there is 64k of data, but in the other claim 0, and
you send 0.

Boom, you get the contents of 64k of recently freed memory.

The reason you get recently freed memory is because OpenSSL wrote their own
wrapper around malloc.


Thank you