Blog

HeartBleed Aftermath Part 1

June 10, 2014 by Ixia Blog Team

On the June 4, 2014, not even two months after the Hearbleed bug was discovered, Codenomicon, the same security firm that uncovered Heartbleed, discovered another critical flaw inside the GnuTLS cryptographic library [2]. Although not as used as OpenSSL, the vulnerability marked with CVE-2014-3466 [3] exposes a very large number of Linux distributions and apps to drive-by attacks.

Essentially, due to improper bounds validations for the Session Id header, a memory corruption occurs on the client side when parsing malicious TLS ServerHello messages and can lead to remote code execution on vulnerable machines [4]. The upgrade recommendation for successfully mitigating the bug has been published on the GNUTLS maintainer site [5]

The IXIA ATI (Application and Threat Intelligence) team has always strived to emulate the latest threats as they appear. We implemented the Heartbleed attack two days after it was initially uncovered [6] and you can find the strike implementing the GnuTLS attack in our latest release within a week of its discovery. The strike synthesizes a harmless variant of the attack that would trigger the memory corruption without compromising vulnerable systems. This facilitates a good way to successfully asses the security posture of test and production environments alike.

On the 5th of June, another six vulnerabilities were reported on the OpenSSL. Two of them, CVE-2014-0224 and CVE-2014-0195, allow man-in-the-middle and Remote code execution respectively [7]. The Snowden leeks, although a very controversial topic, certainly provided significant evidence that high-level state agencies tampered with the very backbone of Internet security. In November 2013 on Capitol Hill, Schneier stated that “in its haste to weaponize the Internet, the NSA has broken its mechanisms of security” and that the surveillance methods employed “will be tomorrow's doctoral theses and next week's Science Fair projects.” [8] Given the very high profile of the Heartbleed bug and the resulting fixes put in place, many people thought that it was the end of it. But armed with the certainty provided by the Snowden leaks, it seems that security researchers and criminals alike are barely getting started.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) program provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.

Additional Resources:

View Ixia’s Full ATI Protocol List

[1] https://www.schneier.com/blog/archives/2014/04/heartbleed.html

[2] http://thehackernews.com/2014/06/critical-gnutls-flaw-leaves-ssl-clients.html

[3] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3466

[4] http://radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/

[5] http://www.gnutls.org/security.html

[6] http://blogs.ixiacom.com/ixia-blog/implementing-the-heartbleed-attack/

[7] http://www.symantec.com/connect/blogs/openssl-patches-critical-vulnerabilities-two-months-after-heartbleed
[8] http://arstechnica.com/tech-policy/2013/11/schneier-tells-washington-nsa-broke-internets-security-for-everyone/