HIJACKING USER SESSIONS WITH THE HEARTBLEED VULNERABILITY

Week One ↓

Heartbleed (CVE-2014-0160) is a security flaw in the Open SSL cryptographic software library, which allows data traversal over SSL/TLS in plain-text. Heartbleed exploits a built-in feature of OpenSSL called heartbeat. Here, a user can send a valid "heartbeat" message to the secure server requesting encryption keys, and the vulnerable server will respond with the keys. The reason the vulnerability is called "Heartbleed" is that it "bleeds" sensitive information from the server based on a valid "Heartbeat" message. Attackers exploit this vulnerability to perform Session Hijacking attacks by stealing cookies (Oriyano, 2016).

why is Heartbleed worse than you think? 

"It’s simple: the currently-available proof-of-concept scripts allow any client, anywhere in the world, to perform a session hijacking attack on a logged in user"Matthew, 2014. The major concern is that a skilled user could craft an exploit that could dump the RSA private key that the server is using to communicate with its clients. The level of knowledge/skill required to craft this attack isn’t particularly high, but likely out of reach for the average script kiddie user.

Internet Impact Analysis

After the Heartbleed vulnerability was announced, Netcraft performed an analysis based on key parameters of the threat surface. Their analysis suggests that the exposure to Heartbleed today is around 15 percent of all SSL sites. That is over a half million private keys. Of course, different SSL keys have different levels of protection based on their values. The security of an online banking site’s private key is more significant than, say, that of a news aggregator’s private key. Root certificate authority keys are the most prized in the world.

So, who is vulnerable?

The initial Heartbleed announcement indicated which sites are likely safe and which are not.
Fortunately, many large consumer sites are saved by their conservative choice of SSL/TLS termination equipment and software.

COUNTERMEASURE

Generally, Versions of OpenSSL affected by Heartbleed include 1.0.1 to 1.0.1f. Updating OpenSSL to version 1.0.1g or higher resolves the vulnerability. The Heartbleed vulnerability is bad, and with almost no effort allows a remote attacker to potentially perform a session hijacking attack allowing authentication bypass. Please patch your systems immediately.

REFERENCES

Sean-Philip Oriyano (2016, April 22). CEH v9: Certified Ethical Hacker Version 9 Study Guide, Edition 3, 179-180.

Matthew Sullivan (2014, April 8) Heartbleed Vulnerability Retrieved from https://www.mattslifebytes.com/?p=533

https://f5.com/solutions/mitigation/mitigating-openssl-heartbleed

Video Credit: Tutorial Hunting. April 26, 2015