Heartbeat Response transmission during handshake - plaintext bleeding of HB response [CVE-2014-0160]

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Heartbeat Response transmission during handshake - plaintext bleeding of HB response [CVE-2014-0160]

MiW on Mailing Lists
Hi List,

I think Doug Smith was correct in his email "Heartbeat response during
handshake?"

RFC 6520 does state "that The receiving peer SHOULD discard the message
silently, if it arrives during the handshake.".

I was testing adding the following lines to d1_both.c and t1_lib.c in
the tls1_process_heartbeat(SSL *s)/dtls1_process_heartbeat(SSL *s)
function in openssl-1.0.1f in the same place Adam Langley's fix lives in
openssl-1.0.1g:
Thanks for Doug Smith for suggesting reusing a test that's in
tls1_heartbeat(SSL *s)

if (s->in_handshake)
        return 0; /* silently discard per RFC 6520 sec. 3 */

I recompiled with and without this check and ran both exploits
ssltest.py (Jarad Stafford s3.jspenguin.org/ssltest.py) and
andrea_ssltest.c (Andrea Shepard, nofilename http://pastebay.net/1422064 )
The difference there is that ssltest.py sends a static (replayed) Client
Hello and HeartBeat request, whereas andrea_ssltest.c completes the TLS
handshake before requesting HB.

With the additional test in place, ssltest.py does not work because the
secure channel is not yet established. andrea_ssltest.c works as expected.
I think one of the intentions of the clause in section 3 is to prevent
heartbeat responses being sent in cleartext to the peer, even more so
with DTLS as the heartbeat request might be delivered before the
ClientKeyExchange.

This has proven to be quite critical with CVE-2014-0160, as we have lots
of people that are firing the ssltest.py exploit
and we have all manner of heap leakages inside HeartBeat responses
passing in cleartext over the internet. I bet lots of things were listening.
If openssl had ignored HeartBeat req's before the handshake was
established the heap blood should not have be readable by anyone except
the TLS peers.

I realise the damage is done, but maybe this test should also be
included in tls1_process_heartbeat(SSL *s)/dtls1_process_heartbeat(SSL
*s) so it conforms to the "SHOULD" in RFC 6520.

If I'm totally wrong about this and there is a killer use case for
unencrypted heartbeat request/responses that are sent before handshake
is complete, let me know.

Thanks,

MiW


signature.asc (917 bytes) Download Attachment