Recently, one of the most talked-about security issues in the cybersecurity field is the Heartbleed vulnerability, which was exposed by foreign hackers on April 7. According to a report by Vox, researchers from Codenomicon and Googleâs security team discovered a vulnerability in OpenSSLâs source code that allows an attacker to access data from 64K of memory on a server. In China, this vulnerability has been translated as the âOpenSSL Heartbleed vulnerability.â Its destructive capacity and wide impact make it a milestone event in network security history.
The basic principle of the OpenSSL Heartbleed vulnerability is that OpenSSL introduced a heartbeat mechanism two years ago to maintain the long-term existence of TLS connections. The heartbeat mechanism was implemented as an extension of TLS, but both TLS (TCP) and DTLS (UDP) lacked boundary checks in the code, allowing attackers to use this vulnerability to obtain some data in the memory of the TLS connection peer (which can be either the server or the client), with at least 16KB obtainable at a time and theoretically up to 64KB.
OpenSSL is a security protocol that provides security and data integrity for network communication, incorporating major encryption algorithms, common key and certificate encapsulation management functions, and the SSL protocol. Most SSL-encrypted websites use a piece of open-source software called OpenSSL, which is the most widely used secure transmission method on the internet and is widely employed by online banking, online payments, e-commerce sites, portal sites, email, and other important websites, resulting in a broad impact.
A security research team from the University of Michigan used the open-source network scanning tool ZMap to search for websites with the Heartbleed vulnerability. The researchers conducted a full scan of the address space, and as of 2:00 PM on April 10, 32% of the top one million websites in the Alexa rankings supported SSL. Of those supporting HTTPS, 9% had the vulnerability, 31.9% securely supported the OpenSSL TLS Heartbeat Extension, and 59% did not support Heartbeat Extension (thus being secure), meaning 40.9% of the worldâs top one million websites were vulnerable when the vulnerability broke out. The first global attack report The Canadian Revenue Agency confirmed that Heartbleed led to the theft of 900 social security numbers, which were completely deleted from the system by attackers.
How significant is this vulnerabilityâs impact on China? On the day of the outbreak, almost all major e-commerce sites in China had this vulnerability. Taobao was the fastest to fix it, patching the vulnerability around 5 PM on April 8, but a considerable amount of data may have been captured during this period. Some large websites, such as Yahooâs login page, had information leaks. NetEase had not fixed the issue by 8 PM on the 8th, and some online transaction sites leaked user IDs, leading to potential forged transactions. As of the evening of April 10, iQIYI had not yet fixed it, though most mainstream websites have since patched the vulnerability. Hence, the OpenSSL Heartbleed vulnerability can also be considered a disaster event for Chinaâs network security.
What information could this vulnerability leak? Our website login names and passwords, any personal information modified during this time, answers to security questions changed during the period, as well as credit card information, email server addresses, and password hashes. Many websites suggest users change their passwords after the fact, but there is also information as important as passwords, such as any security protection information you updated during this process, that could be read. A more secure measure is to change some critical security protection information and privacy information as many websites trust the TLS encrypted channel. If credit cards are bound to websites, it becomes more troublesome, as not all domestic websites comply with PCI-DSS security standards, which require encrypted storage of credit card details and prohibit storing CVV information. If the website complies with PCI-DSS, itâs recommended to at least change your password and personal information.
What other subsequent impacts does this vulnerability have?
1. New attack methods have emerged, and attackers can use this vulnerability to steal user passwords and private keys from affected websites. Websites using vulnerable versions of OpenSSL should abolish all old private keys and certificates. 2. The first wave of server issues requires attention, but third-party software using flawed OpenSSL will be the next problem to consider, as attackers may use the vulnerability to access information users intended to keep confidential. Both client and server software may also be affected, and malicious users might exploit this by having clients connect to servers, with server-side attacks stealing client data.3. Servers exposed to the public internet may have been patched promptly, but some companies overlook intranet servers, making them vulnerable to internal malicious reads or hacker intranet penetrations.4. Some security organizations are even studying how to use this vulnerability for virtual machine escape, allowing real machines to remotely execute code within virtual machines through strange and convoluted attack vectors.
How can we effectively patch this vulnerability? The simplest and most effective solution is to upgrade to OpenSSL 1.0.1g. SNORT has already released relevant rules for IDS/IPS interception, and many third-party CDN traffic rules have interception in place. However, the latest exploit sends malicious requests based on the TLS encrypted channel, easily bypassing network-layer-based IDS and CDN traffic layer interception. Currently, the Anyun Web Shield employs software-based rule interception and automatic vulnerability repair to effectively protect server security.
Last year, there was a similar serious security vulnerability called lucky-13 (CVE-2013-0169), which affected all TLS implementations of the past decade. Many versions of OpenSSL could fully restore plaintext, though fortunately, it was difficult to exploit and the exploit programs did not spread widely. OpenSSL specifically released 1.0.1e to patch this vulnerability. However, while most servers have been upgraded, many gateway devices still use versions that have this vulnerability.
The OpenSSL Heartbleed vulnerability has also sparked much discussion in the domestic security community:
1. This vulnerability arose from the introduction of the heartbeat mechanism in OpenSSL two years ago to maintain a long-term TLS connection.2. The vulnerability had gone through code auditing and fuzzing tests by the OpenSSL community, including vendors like Qualys, but no issues were detected. Of course, without a crash after fuzzing, problems cannot be identified.3. It is speculated that the sample of this vulnerability might originate from a SOC's NETFLOW audit. And whose "SOC" is the most powerful? It seems no one except the BIG BROTHER, although the NSA has denied this information.