Back to Recollections
Beginner
2014
The Heartbleed Bug
Target: OpenSSL Implementation
Impact: Private Key Compromise
Operational Briefing
Exploit a buffer over-read vulnerability in the OpenSSL library. Leak memory contents without leaving a trace.
The Full Story
Heartbleed was a serious vulnerability in the popular OpenSSL cryptographic software library. It allowed stealing information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
Technical Analysis
Buffer Over-read
- The Bug: A missing bounds check in the handling of the TLS Heartbeat Extension (RFC 6520).
- Impact: An attacker could request a heartbeat response that returned up to 64KB of server memory.
- Leakage: Use repeated requests to dump memory, potentially revealing private SSL keys, session cookies, and user passwords.
Available Modes
Offensive
Replicate the attack vector
Defensive
Harden systems & patch
Analysis
Forensic investigation
Event Timeline
2012
Vulnerability introduced in OpenSSL code.
April 2014
Heartbleed publicly disclosed.
April 2014
Massive patching effort worldwide.
#Memory Corruption#SSL/TLS#Information Leak