Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
Codenomicon Ltd.
Säkerhetsdagen, Göteborg
Heartbleed discovery
Tomi Väisänen, Account Executive
2014-09-18
• This is a high level presentation, low technical content
• The information is based on interviews of the relevant people
• The information is presented from Codenomicon point of view
Disclaimer
Why does software fail ?
• Oulu University Secure Programme group
• Protos 1996
• Testing ASN.1 1999
• Realising the scale
There are vulnerabilities
– MIME in 1998
– ASN.1/SNMP in 2001/2002
– Apache IPv6-URI 2004
– Image formats in 2005
– XML libraries in 2009
– Linux Kernel IPv4 and SCTP in 2010
– strongSwan in 2012
– OpenSSL and GnuTLS in 2004, 2008, 2012 and 2014
• ASN.1 1999-2002 • Multiple
vulnerabilities
Codenomicon 2014
Kn
ow
n
Appcheck Scanning of applications for OpenSource components and known vulnerabilities in them
Un
kno
wn
Defensics
Robustness and Security testing
Wh
at o
the
rs a
lrea
dy
kno
w
Abuse SA
Situational awareness for protection of critical infrastructure
Subtle faults
• User was able to access the server
with bogus Ikev2 credentials =>
Authentication Bypass
2014-04-02: Wednesday night
• New build of SafeGuard features installed and put to nightly test runs against OpenSSL
• During the night between April 2nd and April 3rd multiple alerts were raised by Defensics SafeGuard feature
2014-04-03 Thursday noon
• Further discussion and assesment of the alerts • New custom anomaly was created to verify severity
2014-04-03 Thursday afternoon
• CROSS = Codenomicon Robust Open Source Software
• CROSS report was written and send to NCSC-FI for review
2014-04-03 Thu Late evening
• New build of Defensics SafeGuard created and sent to NCSC-FI for verificating the vulnerability
• Thursday night: NCSC-FI verified the finding, and verified it also leaks PKI (severity level much higher)
Friday thru Sunday
• Q&A prepared • Heartbleed.com reserved • Crisis communication prepared with CERT-FI to handle potential media queries
and ensure correctness of the message • CERTs and open source communities around the world work round the clock
patching systems in silence
2014-04-07
• OpenSSL releases information and HeartBleed becomes known
• Heartbleed.com is launched
• Media stories are carefully monitored
• Lot of work around the world and through communities to ensure this is taken seriously and message is correct
Days after public disclosure by OpenSSL
0
200000
400000
600000
800000
1000000
April 7th
April 8th
April 9th
April 10th
April 11th
April 12th
Visitors heartbleed.com
0
5
10
15
20
25
April 8th April 9th April 10th April 11th April 12th April 14th April 20th
Vuln Scanning from nro of countries
Proof-of-concept for 16kb
0
5
10
15
20
25
April 8th April 9th April 10th April 11th April 12th April 14th April 20th
Vuln Scanning from nro of countries
Proof-of-concept for 64kb
0
5
10
15
20
25
April 8th April 9th April 10th April 11th April 12th April 14th April 20th
Vuln Scanning from nro of countries
Botnet integration
Today 2014-09-18
• Heartbleed Scanning still ongoing in the wild
• SafeGuard released in Defensics • SafeGuard Checks implemented for other protocols as well • Appcheck alerts on usage of vulnerable libraries in software
• Heartbleed was discovered through normal development procedures • SafeGuard checks are part of Defensics • Appcheck alerts on usage of vulnerable libraries in software • Codenomicon technology helps buyers to raise product security
requirements
• Have you identified all client-side code that uses OpenSSL?
• Have you checked if your VPN or mesh networks use OpenSSL?
• Have you checked if any of your connected devices are using OpenSSL?
• Have you checked if your back-end systems are using OpenSSL?
• Have you checked if any of your embedded systems are using OpenSSL (many embedded OS use OpenSSL)?
• Do you have browser based customer interfaces for situation awareness, billing or reporting over SSL/TLS?
• Have you checked third-party binaries/firmware for the existence of OpenSSL?
Questions for Audience