Heartbleed Fallout | TechSNAP 160

Heartbleed Fallout | TechSNAP 160

OpenBSD launches LibreSSL, but what challenges do they face? And how much progress have they made? We’ll report!

Apple is struck with its own woes, Heartbleed is used to bypass two-factor authentication, and then its a great batch of your questions and our answers!

On this week’s episode of TechSNAP!

Thanks to:




Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

OpenBSD launches LibreSSL

  • The team behind OpenBSD has formalized their fork of OpenSSL and called it LibreSSL
  • The goal is to update the coding standards, to use more modern and safer C programming practises
  • The impetus for this was infact not Heartbleed, but the mitigation countermeasures discovered by OpenBSD developers before Heartbleed was found
  • The way much of OpenSSL is constructed makes it harder to audit with tools like Coverient and Valgrind, and the lack of consistent style, naming etc, makes it exceptionally hard to audit by hand
  • There were many bugs in the OpenSSL bug tracker that had been open for as much as 4 years and never addressed
  • Bob Beck of the OpenBSD project says that most of the actual crypto code in OpenSSL is very good, as it was written by cryptographers, but a lot of the plumbing is very old and needs serious updating
  • Part of the 90,000 lines of code removed in LibreSSL was the FIPS compliance module, which has not been maintained for nearly 20 years
  • So far, all of the changes have been API compatible, so any application that can use OpenSSL can still use LibreSSL
  • The OpenBSD Foundation is soliciting donations to continue the work on LibreSSL and develop a portable version for other operating systems
  • LibreSSL site, complete with working tag

Apple fixes major SSL flaw that could have allowed an attacker to intercept data over an encrypted connection, or inject their own data into the connection

  • Apple has fixed a serious security flaw that’s present in many versions of both iOS and OSX and could allow an attacker to intercept data on SSL connections. The bug is one of many that the company fixed Tuesday
  • In a ‘triple handshake’ attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker’s data in one connection, and renegotiate so that the connections may be forwarded to each other,” the Apple
  • The vulnerability affects OS X Mountain Lion 10.8.5, OS X Mavericks 10.9.2, as well as iOS 7.1 and earlier. The bug joins a list of serious problems that have affected SSL in recent months, most notably the OpenSSL heartbleed vulnerability disclosed earlier this month.
  • OSX also contains two separate vulnerabilities that could enable an attacker to bypass ASLR, one of the key exploit mitigations built into the operating system. One of the flaws is in the IOKit kernel while the other is in the OSX kernel. The IOKit kernel ASLR bypass also affects iOS 7.1 users.
  • Among the other flaws Apple patched in its new releases are a number other severe vulnerabilities. For OSX Mavericks users, the two most concerning issues are a pair of buffer overflows that could lead to remote code execution. One of the bugs is in the font parser and the second is in the imageIO component. The upshot of the vulnerabilities is that opening a malicious PDF or JPEG could lead to arbitrary code execution.

Heartbleed used to defeat 2 factor authentication

  • Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye
  • An attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions.
  • The attack bypassed both the organization\’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.
  • \”Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,\” Mandiant\’s Christopher Glyer explained.
  • With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated.
  • After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said.
  • Additional Coverage


Round Up:

Question? Comments? Contact us here!