
Programming can be hard and it is even harder when you have to write every bit of code by yourself. Luckily, most of the times, this is not the case; there are a great deal of third party modules and libs that one can use to save themselves several hours of coding. But this ease comes with a great price: others can write bad and/or vulnerable programs as well and this often leads to critical vulnerabilities. Some of such modules are so widespread that if a CVE is given to them, it can cause almost worldwide panic. This series will present some of these cases.
In our first post in this topic, we will present one of PKI’s most commonly used third party libraries, namely OpenSSL, and its bugs that made any cryptography expert’s heart bleed.
OpenSSL is a general-purpose cryptography library as well as a full-featured toolkit for Transport Layer Security (TLS) and its deprecated predecessor, Secure Sockets Layer (SSL) protocols. These are designed to provide secure communication inside different types of networks. One of the most well-known implementations using SSL/TLS is HTTPS, which we see any time we visit a secure website, so there is no doubt in why is OpenSSL so widely used.
Figure 1: Heartbleed, simplified
Hundred-percent-secure programs are like the Loch Ness Monster: many believe they exist, but no scientific proof is present to confirm such belief. If you develop something, there are endless ways to mess up its security – for example even not filtering out non-alphanumerical strings can lead to buffer overflow vulnerabilities. If you are writing code linked to cryptography, you have an even bigger chance to be owned, because there come methods to exploit crypto-related bugs other than the general ones like denial of service, overflow etc. So no wonder, OpenSSL has had countless vulnerabilities since 1998.
The first major cryptography-related vulnerability of OpenSSL has been titled CVE-2003-0147. This was a timing attack originated from the lack of RSA blinding by default. RSA blinding operations calculate x = reg mod N before decryptions, where r is a new random number in every decryption, e is the RSA exponent and g is the actual cyphertext. Then x is decrypted and divised by r; because r is random every time, so will be x, so timing this process should not reveal any information about the key. The lack of such operation allowed an attacker to obtain the private key of a web server remotely using timing differences on the extra reductions of Montgomery reduction or integer multiplication algorithms. This vulnerability has been fixed in OpenSSL 0.9.7b.
But the most notable vulnerability in the history of OpenSSL was without any doubt CVE 2014-0160, or as the majority calls it, Heartbleed. This flaw was found in 2014, when Codenomicon and Google Security researchers discovered that OpenSSL versions 1.0.1 through 1.0.1f contained a flaw in their implementation of the TLS/DTLS heartbeat functionality, which was missing bounds check, making an attacker possible to reveal 64kb chunks of memory containing sensitive information, such as X.509 certificate private keys, usernames, passwords and memory addresses.
The Heartbleed bug caused major, worldwide chaos. Many companies and organizations suffered great damage, including the Canada Revenue Agency, and USA’s Community Health Systems (compromising 4,5 million patient records). The total financial damage is estimated as $500 million and many websites are still vulnerable even now, when exploits are publicly available.
Long story short: if you are using third party libraries, regularly check them by their CPE (Common Platform Enumeration) in the CVE database, and if there is a security patch, always update.
Other sources:
RFC 7568 - Deprecating Secure Sockets Layer Version 3.0 https://tools.ietf.org/html/rfc7568
NIST National Vulnerability Database CVE-2003-0147 https://nvd.nist.gov/vuln/detail/CVE-2003-0147
NIST National Vulnerability Database CVE-2014-0160 https://nvd.nist.gov/vuln/detail/CVE-2014-0160
US CERT: Alert (TA14-098A) OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160) https://www.us-cert.gov/ncas/alerts/TA14-098A
David BRUMLEY: Vulnerability in OpenSSL (bugtraq): https://marc.info/?l=bugtraq&m=104766550528628&w=2
David BRUMLEY, Dan BONEH: Remote Timing Attacks are Practical https://crypto.stanford.edu/~dabo/pubs/papers/ssl-timing.pdf
OpenSSL: Welcome to OpenSSL https://www.openssl.org/
© 2023 Microsec Ltd. | Company registration number: 01-10-047218 | Tax number: 23584497-2-41