Posted by: bgopi | April 8, 2014

Heart bleed bug

Heart bleed bug is a serious vulnerability (CVE-2014-0160) in OpenSSL crypto, please go to heartbleed for more details. Fix is to update OpenSSL library version to 1.0.1g released yesterday (4/7/14). I tried to understand what is it and how it leaks data in memory,  here it is:

the heartbeat extension is used to check the connection is alive or not. Following snippet is from RFC-6250 : “The Heartbeat Extension provides a new protocol for TLS/DTLS allowing   the usage of keep-alive functionality without performing a  renegotiation and a basis for path MTU (PMTU) discovery for DTLS”.

This heartbeat works in such a way that when client sends heartbeat request message, server responds with the heartbeat response message. While sending the request, one can specify data size and data, max data allowed is 64 KB.  Then server response also contain 64 KB of data. This mechanism can be tricked by saying that you are sending 64 KB data but you really send 1 byte but server responds with 64 KB, your 1byte + 64KB-1 from memory (cooool, isn’t it), it could be sensitive information. And,if multiple requests are made, one may get multiple chunks of data from memory!




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: