Slashdot Mirror

← Back to Stories (view on slashdot.org)

Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions

Posted by timothy on from the bleeding-from-the-ears dept.

wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.

"Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated."

After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

59 comments

  1. NSA is so annoyed right now by Noah+Haders · · Score: 0

    that one of their favorite exploits got outed. Was this an intentional vulnerability, like RSA?

    1. Re:NSA is so annoyed right now by Severus+Snape · · Score: 1

      We all love a bit of conspiracy but it was not intentionally malicious. Simple mistake by some professor.

    2. Re:NSA is so annoyed right now by BitcoinBenny · · Score: 1

      This doesn't negate the fact that this was their favorite vulnerability. Realistically most intelligence services probably new about this shortly after that commit.

    3. Re:NSA is so annoyed right now by Severus+Snape · · Score: 3, Insightful

      This doesn't negate the fact that this was their favorite vulnerability. Realistically most intelligence services probably new about this shortly after that commit.

      How so was it their "favorite vulnerability"? Is there even a shread of evidence linking them with it? Exploits exist in code - we found a big bad one - great. Many white hats will have looked at the code and not noticed the flaw. That doesn't mean the NSA were using it. I'm not for a moment saying the NSA wouldn't use a similar exploit but there's nothing special about Heartbleed.

    4. Re:NSA is so annoyed right now by the+eric+conspiracy · · Score: 1

      I don't thing NSA knew about it. Somebody would have caught the unusual requests.

    5. Re:NSA is so annoyed right now by Anonymous Coward · · Score: 2, Interesting

      That guy RS is not a professor, but has a PhD in applied informatics.

      We here in Germany no longer believe it was unintentional though, because the particular department where he works at T-Systems (the IT daughter of Deutsche Telekom), also did the remote maintenance for DLR, the German Aerospace Center, that coincidentally reported it's been hacked.

    6. Re:NSA is so annoyed right now by Anonymous Coward · · Score: 0

      Since you didn't find it either, will you be leading the exodus back to M$ and Windowsville?

    7. Re:NSA is so annoyed right now by Anonymous Coward · · Score: 0

      http://it.slashdot.org/story/14/04/10/2235225/heartbleed-coder-bug-in-openssl-was-an-honest-mistake?sdsrc=popbyskid

    8. Re:NSA is so annoyed right now by BitcoinBenny · · Score: 3, Insightful

      I don't think so. This is a high value vulnerability, you keep it in the back pocket. Especially since it has demonstrated key extrication and affects a large number of hardware and software platforms.

    9. Re:NSA is so annoyed right now by Anonymous Coward · · Score: 2, Interesting

      Didn't the problem come about by OpenSSL doing it's own memory handling because some people's OS had slow memory management? Sounds like an excuse to have mistakes that bypass other kinds of checks.

    10. Re:NSA is so annoyed right now by Anonymous Coward · · Score: 3, Interesting

      On Windows, there are probably three billion apps each with their own copy of openssl.dll, many of which will never be updated. I remember when some serious zlib bug was announced years ago, I found about 30 copies of zlib.dll on my Windows machine, all of which had to be independently replaced with a patched version.

    11. Re:NSA is so annoyed right now by Anonymous Coward · · Score: 0

      I already am on Windows you insensitive clod!

    12. Re:NSA is so annoyed right now by houghi · · Score: 1

      And even if they were, it does not mean it was their favorite. Perhaps there is something out there that they like even more. Talking about code, not 'social engeneering'.

      --
      Don't fight for your country, if your country does not fight for you.
    13. Re:NSA is so annoyed right now by asdf7890 · · Score: 2

      Somebody would have caught the unusual requests.

      Not if they were careful about it. Someone with access to credit cards details in mind would get it discovered pretty quickly as they would be poking everywhere as quickly as they could in order to try get information so they could get as much out of the flaw as quickly as they could. This is more likely to be seen as there would be unusual amounts of traffic. But a security agency trying to find a VPN's private key? Where the VPN isn't employing FPS techniques the time you have to perform the attack it pretty long so they could easily have managed some useful penetration with much more subtle traffic, that would just look like background noise. OK so they wouldn't get something nearly as quickly that way, but a good security service plays the long game instead of looking for quick wins. Heck, even a burst of traffic would be written off by many as a random DoS attempt or some fool with a misconfigured client, so someone could have used this maliciously in bulk a few times without raising significant suspicions that would lead people to dig in and find the flaw they were trying to exploit..

      This doesn't mean that the NSA did, or that they even knew about the flaw, but it means if they did know about it they certainly could have (and most probably would have) made good use of it without anyone suspecting.

    14. Re:NSA is so annoyed right now by amiga3D · · Score: 1

      I always thought Windows OS was their favorite vulnerability?

    15. Re:NSA is so annoyed right now by Anonymous Coward · · Score: 0

      Good point, I believe they can patch it here http://slproweb.com/download/Win32OpenSSL_Light-1_0_1g.exe

      They would need to copy libeay32.dll ssleay32.dll and libssl.dll and overwrite all copies on their system, not just in the windows\system folder

    16. Re:NSA is so annoyed right now by AHuxley · · Score: 1

      Re Somebody would have caught the unusual requests.
      If a gov wants to sit between you and your site, the logs of your site would reflect whatever the gov wants.
      They have man in the middle, fake sites and efforts like TURBINE would show very little skilled, attentive admins.
      http://www.dailytech.com/Tax+a...

      --
      Domestic spying is now "Benign Information Gathering"
    17. Re:NSA is so annoyed right now by Anonymous Coward · · Score: 0

      Did you really believe it when you were told you were the favorite child?

    18. Re:NSA is so annoyed right now by WinstonWolfIT · · Score: 1

      new? shread?

    19. Re:NSA is so annoyed right now by the+eric+conspiracy · · Score: 1

      Lots of people keep server logs around for a long time. Now that the requests that cough up private keys have been identified I would think that hack attempts would have been identified by now, just like the ones that are the subject of this story.

      They haven't been.

    20. Re:NSA is so annoyed right now by Anonymous Coward · · Score: 0

      Yep, did Eddy Snowden's powerpoints not contain slides boasting of the NSA's ability to break VPN?

  2. Is it just me, or is this just insane? by mmell · · Score: 1

    ...researchers independently retrieved the private keys from the intentionally-vulnerable NGINX server...

    Intentionally vulnerable - so this wasn't a bug in the NGINX server, it was a feature, right?

    1. Re:Is it just me, or is this just insane? by qha · · Score: 1

      "intentionally-vulnerable" in your quote referrs to the intentions of Cloudflare in installing Nginx on top of a vulnerable Openssl installation.

    2. Re:Is it just me, or is this just insane? by EvilSS · · Score: 3, Informative

      ...researchers independently retrieved the private keys from the intentionally-vulnerable NGINX server...

      Intentionally vulnerable - so this wasn't a bug in the NGINX server, it was a feature, right?

      They put up a publicly accessible NGINX server with the vulnerable version of OpenSSL to see if anyone could get the private keys from it (they thought that this was not possible from their internal testing). It only took a few hours before they were proven wrong. At the time they had already patched the rest of their systems to address the Heartbleed vulnerability.

      --
      I browse on +1 so AC's need not respond, I won't see it.
  3. Okay, but WHEN by XanC · · Score: 1

    Was this before the public disclosure, or after?

    1. Re:Okay, but WHEN by Anonymous Coward · · Score: 0

      Too busy to click the linked articles?

    2. Re:Okay, but WHEN by XanC · · Score: 1

      No. The linked article doesn't say. I did click on a link to the company's blog from the linked article and found it. Such critical information should have been both in the page that /. linked to and in the /. summary!

      tl;dr: This took place AFTER the public disclosure, but not by much: it seems it was April 8th.

  4. News: Not just webservers use OpenSSL! by Nanoda · · Score: 5, Insightful

    News: Not just webservers use OpenSSL!

    No kidding. My Synology NAS had a same-day update to patch this - my custom router firmware needed updating too. If there's a story for every device someone forgot might contain OpenSSL code, it's going to be a busy month.

    1. Re:News: Not just webservers use OpenSSL! by Gaygirlie · · Score: 3, Informative

      Speaking of routers, DD-WRT is vulnerable, but only if you use its VPN-service. It doesn't use OpenSSL for anything else, and if the VPN-service isn't enabled then there's not even that.

    2. Re:News: Not just webservers use OpenSSL! by hax4bux · · Score: 1

      Thanks for that info. I haven't had time to look.

    3. Re:News: Not just webservers use OpenSSL! by Demonantis · · Score: 2

      Thank you. This is good to know. I used, https://filippo.io/Heartbleed/, to test my web facing services. No affiliation. I found it through Google.

    4. Re:News: Not just webservers use OpenSSL! by Anonymous Coward · · Score: 1

      News: Not just webservers use OpenSSL!

      Yup.

      Although, this article is about a device that uses https on port 443 to set up a vpn, so I would still call it a webserver.

      Common non-webservers would be SMTP servers that use OpenSSL for STARTTLS, along with POP and IMAP servers.

    5. Re:News: Not just webservers use OpenSSL! by asdf7890 · · Score: 2

      The key thing to note is that the main vulnerability here is through the use of OpenVPN with an affected SSL library. IIRC OpenVPN is only affected when used in "pre shared key" mode instead of using client certificates (which is the recommended way of running things anyway), so there is further mitigation there (but anyone using OpenVPN needs to check they config and confirm that the server end (if using another party for that) has done so too.

      There are other parts of DD-WRT that could potentially be a problem too (tor particularly as it runs a listening service) if you have them turned on. See their own advisory for more details: http://www.dd-wrt.com/site/con....

    6. Re:News: Not just webservers use OpenSSL! by colfer · · Score: 1

      Yes, LiteSpeed web server, a common drop-in replacement for Apache, had the bug even when the shell of a LAMP stack did not. LS patched it.

      If this bug had been in 0.9.8 the web would be in a real disaster now. Many web ISP's stay behind a few versions on the stack. I've got one that runs the oldest PHP version still in release. That's a bit extreme. So the bug hit more big companies.

    7. Re:News: Not just webservers use OpenSSL! by colfer · · Score: 1

      In other words, you could not detect the bug by looking at "openssl version" at the shell prompt, or looking for the openssl version in phpinfo().

  5. Modern security model horribly broken. by Anonymous Coward · · Score: 1

    It seems completely obvious to me that each authenticated session to any remote server should be running as a separate user. There is something so fundamentally wrong about any security model where it is possible for the code executing for one user to access data private to another user.

    1. Re:Modern security model horribly broken. by flyingfsck · · Score: 1

      SELinux or Apparmor will prevent that, but it is usually not installed on embedded systems.

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
    2. Re:Modern security model horribly broken. by Anonymous Coward · · Score: 0

      It sounds like the attacker used HeartBleed to gain access to an authenticated user's account and then tried to escalate their stolen users account privileges after that.

    3. Re:Modern security model horribly broken. by ledow · · Score: 0

      It doesn't matter how clever you are... at some point, some session will have to run with more privileges than the user in order to be able to do something.

      Or, as here, the session gets taken over as "just a user" and steals all their data / credentials anyway and tries to move deeper by finding more.

      The problem of privilege separation can be fixed today, the tools are there. The problems described here aren't helped or hindered by privilege separation.

      To be honest, what you have to have is an enormously fine-grained permission system no matter what, and that - in itself - is a recipe for disaster. Eventually you get to the point where you need to deploy tools to find out what permissions are given as certain users because it gets so complex.

      Or you could just patch when a problem is noted, especially when it involves your SSL library.

  6. SSL - TLS by Anonymous Coward · · Score: 0

    This is why a competent VPN will run ipsec and not some silly little ssl - tls implementation that allows a session token that can be copied.

  7. I missed that. by mmell · · Score: 1

    So they were merely confirming how bad bad could get by proving that technology that relies on OpenSSL is vulnerable. Okay, thanks. I suppose there are a lot of people who might try denying that - I've already heard people muttering that the firms which are vulnerable to this exploit should have a workaround in place. This demonstration could well serve as an example of just how difficult that could be, as well as how wide-reaching the problem is.

    1. Re:I missed that. by Anonymous Coward · · Score: 0

      Hopefully you don't work in tech, or a field that requires basic reading skills.

  8. not enough evidence against conspiracy theory by SethJohnson · · Score: 3, Interesting

    I'm not convinced this wasn't an intentional effort to backdoor OpenSSL.

    Code was submitted on new year's eve. A moment when the fewest people would be available to review it. Many people are on vacation and likely to gloss over the pile of code submitted while they were gone.

    Just because he's a professor doesn't mean he wasn't compromised. A common page out of spycraft textbook would be to get an agent to seduce the professor and then document his infidelity. With this hanging over his head, he'll plant the requested vulnerability and even after it's discovered, he'll stick to the cover story to prevent those photos from being sent to his wife. For further reading on this topic, see the wikipedia page on Julian Assange.

    --
    $5 / month hosted VPS on linux = awesome!
    1. Re:not enough evidence against conspiracy theory by Anonymous Coward · · Score: 0

      It's easier just to pay them. "Heres 10k. Do this thing. Or we destroy your life."

    2. Re:not enough evidence against conspiracy theory by Anonymous Coward · · Score: 0

      Code was submitted on new year's eve. A moment when the fewest people would be available to review it. Many people are on vacation and likely to gloss over the pile of code submitted while they were gone.

      One of us clearly has the wrong image of security concious developers. I want to believe that a developer for an important security related project would put any existing deadline on hold until the code was properly reviewed. That it wouldn't matter how large the backlog was.

      Considering that the bug existed, it is possible that I am the one who was mistaken, not you...

      A common page out of spycraft textbook would be to get an agent to seduce the professor and then document his infidelity.

      It's easier to find people with bad debts, or with family members that have bad debts, and offer to pay them. If you manage to convince the person that you are on their side in some way then they will not only help you, but they will also believe in your cause enough to protect you from others. If you threaten them then you may have control over them for the moment, but you still know that they will turn against you whenever you stop watching.

      If you are able to turn one professor, you could also start to turn other professors more easily (inside information regarding debts etc). That way, you get long-term assets which can help other parts of your organization (if you are willing to risk spreading info about their cooperation).

  9. Schneier's 11 was well-justified by SuperKendall · · Score: 5, Interesting

    Lots of people scoffed at Bruce Schneier for saying Heartbleed is an 11 on the 1-10 scale... I agree that sometimes he goes overboard but this is not one of those times, and the attack mentioned in the article demonstrates this.

    The summary is a little muddled on what happened here, but if you follow the link you'll find this is not a security test or a research group showing something could theoretically be done. This is a real live company somewhere just using a VPN many other companies probably use, that had over the course of many hours multiple VPN session hijacked and made use of. That is a huge deal, if one person can do this you can almost bet there is a script somewhere that even the great unwashed hacker masses can make use of.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  10. More than just heartbleed here by Anonymous Coward · · Score: 0

    Session token as an authenticator isn't multifactor. If I can resume your VPN session from a different IP than you established the link then it sounds like time to rethink how you are doing session management.

    1. Re:More than just heartbleed here by asdf7890 · · Score: 1

      While it won't happen in the vast majority of cases, so you could implement a client address lock as an option, there are a number of valid reasons why a session might jump from one address to another.

  11. The clods are so annoyed right now by Anonymous Coward · · Score: 0

    I already am on Windows you insensitive clod!

    Searching... About 1,250,000 results.

    The best option would obviously be a beowulf cluster of Natalie Portmans eating some hot grits, you insensitive clod! I only use trackpads, you insensitive clod! I'm self-employed, you insensitive clod! It is summer here, you insensitive clod! I don't have a car, you insensitive clod! I'm Amish, you insensitive clod! I'm self-unemployed, you insensitive clod! I have no SuperDrive, you insensitive clod! I live on zero dimensions, you insensitive clod! I'm a nudist, you insensitive clod! It's Heineken, you insensitive clod! I don't use local storage, you insensitive clod! :I am on my Windows machine you insensitive clod! I'm English you insensitive clod! I don't need more job competition, you insensitive clod! I am a phd candidate working in an university lab, you insensitive clod! I live in Australia, you insensitive clod! People are continuous, you insensitive clod! A pre-emptive 'you insensitive clod' comment. :I use Dvorak, you insensitive clod! one way to look at a thing, and it's "MY" way you insensitive clod! Bots need to catch up on their favorite shows too, you insensitive clod! I' m a third grader, you insensitive clod! I have never said 'you insensitive clod!' in a post that I remember... I'm in marketing, you insensitive clod! Brine is delicious, you insensitive clod! hey, I still work as a government contractor, you insensitive clod! I don't watch TV you, insensitive clod! Neither I have a TV, you insensitive clod! Neither I use english grammar you, insensitive clod! Engrish is not my language, you, insensitive, clod! That's Japan you insensitive CLOD! I don't think the Mongolians would appreciate you calling them 'aliens', you insensitive clod! I USE IE, YOU INSENSITIVE CLOD!! listens to Zulu chants on a purple Zune all day long and snorts without a whistle when I 'laugh', you insensitive clod! I'm still on 28.8kbps dial-up you insensitive clod! bla bla bla 300bps you insensitive clod! I can't afford to go on vacation, you insensitive clod! In Soviet Sicily, the story confirms YOU, you insensitive CLOD! I can do that without cocaine, you insensitive clod! Hey, I love feta you insensitive clod! I'm from Poland, you insensitive clod! Senior citizens can date too you insensitive clod! I dont eat corn you insensitive clod! I don't have a "you insensitive clod!" button, you insensitive clod! I'm a bald physicist, you insensitive clod! I eat two donuts at a time, you insensitive clod! I am cloud-intensive, you insensitive clod! I'm a homophobic straight male, you insensitive clod! :I use a Mac you insensitive clod! No car, you insensitive clod! Some users will also refer to seemingly innocent remarks by correcting them and adding "you insensitive clod!" to the statement... But I take my shit in the mornings, you insensitive clod!

  12. thanks a lot you open source bozos... by Anonymous Coward · · Score: 0

    many eyes, my ass.

  13. Mitigation by duke_cheetah2003 · · Score: 2

    Just as a side note, for any corporate intranet with VPN and web servers facing the outside world, it really is a good idea to isolate your various services, so if one is compromised, the others aren't. This is a classic example of why you should do that: If the web server and VPN were on separate VM's, heartbleed fishing through the web server wouldn't have exposed the VPNs keys.

    I wish I could afford to practice that myself, I unfortunately lump all my internet facing services on one VM, but for a corporation with more assets, it really is a cheap way to cover your butt.

    1. Re:Mitigation by Anonymous Coward · · Score: 0

      " This is a classic example of why you should do that:"

      No it isn't. This was a SSL VPN device. The VPN device itself was the web service and the target. VMs would do absolutely nothing to address this and only lead to worse performance.

      The biggest security vulnerability is assumption and a lack of attention to detail. This is why security is hard.

  14. Why not? by mmell · · Score: 1

    Please be specific. Try to express yourself with more than a thinly veiled one-line ad hominem statement. Written exposition demonstrating linguistic and reasoning skills appropriate to an adult would also be desirable.

  15. Lesson 1 by viperidaenz · · Score: 1

    Your application server shouldn't be running SSL.

    I can't think of one good reason to expose your application server to the internet.

  16. Has the bug been fixed or not by Stan92057 · · Score: 1

    Has the bug been fixed or not? Or is this a case of poor security management by not applying the fix??

    --
    Jack of all trades,master of none
  17. Not obvious enough? by Anonymous Coward · · Score: 0

    OpenBSD supplied 250 commits in a week.

    Who else thinks the NSA doesn't find shit like this on a daily basis?