Slashdot Mirror

← Back to Stories (view on slashdot.org)

Heartbleed Bug Exploited Over Extensible Authentication Protocol

Posted by samzenpus on from the protect-ya-neck dept.

wiredmikey (1824622) writes "While most organizations have patched the Heartbleed bug in their OpenSSL installations, a security expert has uncovered new vectors for exploiting the vulnerability, which can impact enterprise wireless networks, Android devices, and other connected devices. Dubbed 'Cupid,' the new attack method was recently presented by Portuguese security researcher Luis Grangeia, who debunked theories that Heartbleed could only be exploited over TCP connections, and after the TLS handshake. Unlike the initial Heartbleed attack, which took place on TLS connections over TCP, the Cupid attack happens on TLS connections over the Extensible Authentication Protocol (EAP), an authentication framework typically used in wireless networks and peer-to-peer connections.

The researcher has confirmed that default installations of wpa_supplicant, hostapd, and freeradius (RADIUS server implementation) can be exploited on Ubuntu if a vulnerable version of OpenSSL is utilized. Mobile devices running Android 4.1.0 and 4.1.1 also use wpa_supplicant to connect to wireless networks, so they're also affected. Everything that uses OpenSSL for EAP TLS is susceptible to Cupid attacks. While he hasn't been able to confirm it, the expert believes iPhones, iPads, OS X, other RADIUS servers besides freeradius, VoIP phones, printers, and various commercial managed wireless solutions could be affected."

7 of 44 comments (clear)

  1. Lots of things can be exploited. by ls671 · · Score: 4, Insightful

    Of course, lots of things can be exploited if you have a vulnerable version of openSSL running ;-)

    Simple solution is to patch it although it might be harder on some devices.

    --
    Everything I write is lies, read between the lines.
  2. What? Bad interpretations by UnknowingFool · · Score: 4, Informative

    the expert believes iPhones, iPads, OS X, other RADIUS servers besides freeradius, VoIP phones, printers, and various commercial managed wireless solutions could be affected

    Nowhere on his page does the researcher say anything remotely like this. It's a really bad interpretation as he does not list any VoIP or printers or Apple products. Specifically to be vulnerable to this attack, the product must use a vulnerable version of OpenSSL. Certainly Apple does not use OpenSSL and there are other products that do not.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
    1. Re:What? Bad interpretations by sessamoid · · Score: 4, Funny

      the expert believes iPhones, iPads, OS X, other RADIUS servers besides freeradius, VoIP phones, printers, and various commercial managed wireless solutions could be affected

      Nowhere on his page does the researcher say anything remotely like this. It's a really bad interpretation as he does not list any VoIP or printers or Apple products. Specifically to be vulnerable to this attack, the product must use a vulnerable version of OpenSSL. Certainly Apple does not use OpenSSL and there are other products that do not.

      If you post about a vulnerability and forget to mention the word "Apple" (whether or not it's even relevant), you just gave up tens of thousands of clicks.

      --
      "No, no, no. Don't tug on that. You never know what it might be attached to."
  3. Re:Should have upgraded Openssl by Grantbridge · · Score: 5, Insightful

    Some android phones cannot be updated without rooting them, if the manufacturer hasn't released an update.

  4. Re:Should have upgraded Openssl by TechyImmigrant · · Score: 3, Insightful

    So get an unlocked phone and install CM. They're readily available.
    That's not an Android problem. That's a carrier problem. At least with Android you can do something about it.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  5. Re:Confused by TechyImmigrant · · Score: 3, Informative

    If your back end RADIUS server is running EAP and EAPoL on some unixy box, then Apple get no say in what version of OpenSSL may be used. The device is just the conduit. That's the point of RADIUS+EAP+EAPoL.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  6. Re:Should have upgraded Openssl by mlts · · Score: 3, Informative

    It really depends on the phone. The HTC phone I bought recently has ROMs available before it officially went on sale. In fact, some unofficial ROMs like CM can have support and updates for a long time after the phone has been discontinued. (I bought the HTC phone because it has plenty of disk space, and it had a MicroSD slot, and with a quick app, the SELinux profile allowed for older apps to work with the external card without issue.)

    I wouldn't discount Android just yet. Instead, I'd just be careful what model I buy, and watch features/specs.

    If a SD card doesn't matter, a Nexus or GPE (Google Play Experience) device almost certainly will have the ability to unlock the bootloader in the future, so that may be the way to go.