Slashdot Mirror
Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.
"Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated."
After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."
"Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated."
After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."
Speaking of routers, DD-WRT is vulnerable, but only if you use its VPN-service. It doesn't use OpenSSL for anything else, and if the VPN-service isn't enabled then there's not even that.
Intentionally vulnerable - so this wasn't a bug in the NGINX server, it was a feature, right?
They put up a publicly accessible NGINX server with the vulnerable version of OpenSSL to see if anyone could get the private keys from it (they thought that this was not possible from their internal testing). It only took a few hours before they were proven wrong. At the time they had already patched the rest of their systems to address the Heartbleed vulnerability.
I browse on +1 so AC's need not respond, I won't see it.