Heartbleed - CVE-2014-0160

Heartbleed, sounds like a bad B-Movie title / title for some cheesy pop song doesn’t it?

If only that were the case, as I have covered in my blog post on mysqlperformanceblog.com heartbleed affects OpenSSL versions 1.0.1 through 1.0.1f

I’ve spent the last 2 days working 15hrs plus on this, and this is during some nasty Jet Lag courtesy of my return trip from Percona Live 2014, as the code keeps being pulled down for some reason I have mirrored some effective P.o.C code at github NOTE: This is not my own code I am only mirroring it, use at your own risk etc etc …

I encourage you to both read my blog post and my colleague Ernie’s blog post on the matter.

the TL;DR

  1. 0.9.8 and 1.0.0 versions ARE NOT VULNERABLE
  2. 1.0.1 -> 1.0.1f ARE VULNERABLE
  3. some distros are backporting to fix into their 1.0.1e (Redhat, ubuntu, debian etc …)
  4. check changelogs of packages for CVE-2014-0160 fixes
  5. you MUST rotate keys and certificates and assume ALL user credentials have been compromised

In my own testing using the POC code I found the following.

  1. I could not dump the SSL keys from memory (I may have just been unlucky here, some sources are claiming they have been able to do this).
  2. I could dump ANY content which had a some point been “in flight” e.g. user login forms and servers responses (usernames + passwords + session cookies etc).
  3. I could ONLY dump the memory of the process using TLS (some sources claimed to be able to walk the entire server memory, I found this to not be the case).

This blog post may not be my usual deep dive, however given the work being done and the links to blog posts on MPB this shold be enough information for you the reader to go on in the interim.

UPDATE: this video provides a great description on the vulnerability in detail.