First, and most important: consider changing every single one of your public Internet passwords (possibly even VPN ones) right now. Go to the Heartbleed site if you want a nice easy unpleasant read on the subject.
And yes, this supreme idiocy has already been repeated so often over the Internet that even MSN has picked up on it.
This invidious little distinction between “virus” and “fucking huge uncontrolled security leak” must be so comforting to anybody whose bank account has been ripped off.
Customer: Somebody has drained my current account and has taken over my Facebook front page. Facebook is now claiming that I am a transsexual vampire who gets his rocks off by taking selfies whilst having penetrative sex with the exhaust pipes of pre-1990 Trabants.
Call Centre Guy: Don’t worry, it’s just a gaping hole in the implementation of OpenSSL, pre version 1.01g.
Customer: Shit! You mean my computer has a virus?
Call Centre Guy: Certainly not. It’s not a virus. It’s called “Heartbleed.” The security mavens have logged it as CVE-2014-0160.
Customer: What a relief! It’s not a virus! So, from now on, I’m safe!
Call Centre Guy: Not hardly. You’re fucked, mate. Any information at all that you’ve transmitted over HTTPS over the last two years is potentially compromised.
Customer: What, anything? I’m pretty IT-savvy, you know. I only use sites powered by Apache or Nginx.
Call Centre Guy: Yup, Apache and Nginx are fucked, too.
Customer: So, Apache and Nginx have been infected by this virus for two whole years?
Call Centre Guy: Are you dense or something? I already tole you. Heartbleed is not a virus.
Customer: All right, all right, stop patronising me. So, if it’s not a virus, obviously it can’t be that widespread, can it?
Call Centre Guy: Look, just forget this virus obsession of yours. Heartbleed only affects Debian Wheezy (stable), Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3 and 5.4, FreeBSD 10.0, NetBSD 5.0.2, and OpenSUSE 12.2. Oh, and most of the prior versions over the last two years. And a few other things.
Customer: But I can apply a fix to any of those, right?
Call Centre Guy: Are you kidding me? They’re all massively deployed *nix server systems. But trust these guys. They know what they’re doing.
Customer: Do they really?
Call Centre Guy: Oh, C’mon. They’re the sort of feebs that make goldfish look like intellectual titans. But I’m curious. Why accuse you of being a transsexual vampire with a thing for Trabants?
Customer: It happens to be true, but I don’t like it to be publicised to the world. See, that’s why I use a private email account encrypted with GnuTLS. At least that’s secure.
And so on.
Remember How To Become An X.509 Certificate Authority, the GnuTLS Way? Oh, how we all laughed. And the Loons riposted: nobody uses GnuTLS these days, the threat is overblown, everybody has been using OpenSSL for at least the last two years.
Indeed so.
Now, I don’t wish to leave you without offering a comforting thought. The GnuTLS bug was at least mildly complicated (although not as complicated as the Loons would have you think). It was the sort of bug that any professional, without benefit of code-review, unit tests, integration tests, or use cases might, on a really bad day, have left to fester.
Mildly complicated, but according to this analysis nowhere near as simple as the Heartbleed bug. You wanna know the cause of the Heartbleed bug? I’ll show you the cause of the Heartbleed bug, in a single line.
memcpy(bp, pl, payload);
Yes, that’s right. These so-called Secuirty Experts, to borrow the Hamster’s phrase, completely failed to sanitise a buffer length and, well:
That means OpenSSL runs off the end of your data and scoops up whatever else is next to it in memory at the other end of the connection, for a potential data leakage of approximately 64KB each time you send a malformed heartbeat request.
So much less damaging than the GnuTLS security hole.
No, sorry, tried, failed. No comforting thoughts to offer.
Think about changing your passwords now. Everything else is long gone.
—————————————————
Addendum: Courtesy of this link, I now know how this foolishness was perpetrated:
It was added by a T-Systems employee (biggest telecommunication company in Germany and mostly owned by the state… ok, he did not work there at the time he wrote that code, but still a nice theory).The same person has also written the proposal for this heartbeat extension (where he admits that it does not need a payload but still implemented it for “flexibility”)
Ah yes, flexibility. Where would trivial protocols like a piggy-backing heartbeat be without flexibility?
The phrase “attack surface” springs to mind for some reason.
Comments
Haha. The Internet is now affected by worst vulnerability in the history of vulnerabilities, thanks to the freetard menace.
There should be a penalty everytime a company gets hacked. That way, there will be incentive for companies to avoid products that have a history of nasty security bugs (that is, products that rely on OpenSLL).
Now, companies just select the cheapest solution. And the customers get the shaft. And companies win the class action lawsuit.
Kurks,
You mean like reversing the responsiblity for "identity theft" which is really a loss of identity that a bunch of companies created for you, usually against your will (credit reports, etc.)? But YOU are ultimately responsible for? LAWL that will never happen. Corporations own the world, my friend.
The problem here, Kurks, is that it isn't "a company."
It's the entire methodology.
(If you've got a good solution to that, I'm honestly looking forwards to it.)
As a sidenote, what kind of sh!tty coding is this? Why do the buffer-length test and call memcpy every single time, instead of making a securememcpy() function that does these for you? I mean, this is an SSL library, there must be several places where buffers need to memcpy'ed securely, so the effort should be worth it.
I am in a university that is more known for it's Saturday night parties than the knowledge it disseminates, and even I know that much.
PS: Reminds me a project a fellow undergratuate had written, and he did list manipulation by doing the same things in multiple places, instead of taking one minute to write additem(), deleteitem() and finditem().
Easy solution. Ban freetardism. Make it a crime to provide source code to the public. Give Microsoft a de facto UN-sanctioned monopoly on OS and web server software much like utilities get monopolies. That's how we'll solve this nonsense.
instead of making = instead of writing
kurk,
That requires knowing the length of the data pointed to, which we know from C (which is another freetard invention) is who the f**k knows where in any given program. Certainly it is not stored logically with the pointer itself. That would make too much f**king sense for the freetards.
@ED
If you can do it inline (aka on the spot), you can do it in a function, or failing that, with a macro. Cheers.
Good catch. Indeed. Recidivist C. That's all there is to it.
Of course, all the apparatus behind this drivel ... no way would Microsoft or Apple or even Google miss that.
Only Freedom can let this crap in.
kurks,Yeah you could have a consistant way to store the length of the buffer. You can also use a language that is not a complete clusterf**k of insecurity to begin with. You could also not be a complete freetard writing open sores code only Hitler could be proud of. By bet is none of these three apply to any given freetard project.
There's also the possibility that you could add a guard on the length, which is what these people would have done in a simple short routine. Had they not been ignorant worthless cretins with no review.
Remind us all again, Queef, how that "Hello World!" program went. As I recall, it didn't suffer from buffer overrun problems, did it? Just sheer incompetence.
Why don't you just shut up and leave it to the professionals?
Notice too, how they don't use descriptive variable names. What the f**k is a "bp"? British Petroleum? Would it hurt anything to use a few more f**king characters when you define variables? Remember this comes from the same people brought you such things like "etc", "usr" (whcih is not user directories, f**k knows what is actually suppose to be here), and "grep" (the f**k?). It's just layers upon layers of fail.
I'm not Queef. By the way, eat dicks DrLoser. Thanks.
Ed - Bitcoin miner, tireless defender of open source, supporter of OWS movement.
Is there one thing that this kid does that doesn't scream "I am young and impressionable"?
Notice how the resident idiots go off on douchebag tangents instead of focusing on the topic.
should I be a dumass you never wrote a line of code and say that we should be using languages that lessen the chance for these kinds of things in the first place.
But carry on. People know that only pussies use those languages and real manly stuff needs to be written in C.
Sysadmins of these companies tend to be raging neckbeards who believe s*** like this.
The problem is not the lack of dictatorial measures that punish poor code. It's the morons that perpetuate the *nix/FOSS security myth.
Oh, cmon, that mistake could happen to anybody. TBH, I feel for the poor motherficker, (s)he will get enough sh3t anyway.
I think you must place the blame on the freetard/open source crowd: after all, what happend with the 'given enough eyeballs, all bugs are shallow' thing? I thought when the source is published, everything is automagically perfect. :)
This is exactly why you are never going to hear witty names, e.g. "The Spring of TLS Bugs", from the media or the blogosphere. Like the American anti-trust law, a stated double-standard is openly applied.
Taking all the above into account, I think Kurks has hit the nail on the head best. It beggars belief that the writers of a so-called "security" module wouldn't be paranoid about raw memory copies; I mean, is trivial static analysis too much to ask?
Naturally, it also beggars belief that the corporate consumers of a security module don't bother to run an audit over the (free open super sauce!) code. Red Hat should be publicly disgraced for this negligence.
The fact that everyone from Cisco to Avaya use OpenSSL (even though their products used the older version and were not affected) too and they are too cheap to hire eyeballs to audit the code means one thing. Major tech corporations don't give a s*** about security. That or they are too stupid to believe in the MillionEyeBalls.
You must be signed in to leave comments.