Web interface and the Heartbleed bug - not vulnerable.

[af123]

Many of you will have seen reports in the media of a vulnerability that has been recently discovered called Heartbleed. Heartbleed is a problem in OpenSSL, a software library that is used by most websites to secure your communication using SSL. It provides the S in HTTPS, or if you prefer, it'€™s what'€™s responsible for the padlock icon in your browser's URL bar while browsing the web*.

Having spent a week dealing with the fallout of this and helping customers to check and upgrade their systems and mitigate any potential impact, I've now got around to looking at the Humax.

There is an option to enable encryption (HTTPS) in the webif package and I know that many people use this to encrypt traffic to and from the web interface for when they are accessing it over the Internet. The good news is that the OpenSSL library on the Humax is version 1.0.0a and is not vulnerable to the Heartbleed exploit.

* Normally when browsing a site using SSL, you can trust that the information you
send to the website can only be seen by the website itself. This keeps your
private information, such as credit cards, usernames, and passwords, secure.

The Heartbleed exploit enables attackers to bypass the protections provided by
SSL. This means any information you sent to a website that relied on vulnerable
versions of OpenSSL could potentially already be in the hands of the bad guys.

http://heartbleed.com/ has a lot of information regarding the vulnerability and XKCD has published a comic strip which explains it all rather nicely.

 

[HarveyB]

If I read the cartoon correctly, then does it not mean that they can only get your password etc., if it happens to be in the system "memory" at the time and presumably only entered very shortly before the hacker's "enquiry".
It appears like a buffer overflow thing, ie hacker pulls more from buffer than authorised, if so what he gets is a bit hit and miss and depends on recent activity.

Or can the hacker pull an endless list of activities from the machine at one time.

Then again I might have misunderstood completely, or taken the cartoon too literally ...

 

[af123]

You're right but the leakage is quite bad. For every TLS heartbeat, the attacker can get 65534 bytes of unrelated data back from the heap memory area and (s)he can send heartbeats pretty fast. The attacker can't control or predict what will come back but experience shows that the data usually reveals usernames and passwords, and in some cases the private keys used by the server.

This attack isn't just limited to web servers either, although that's what the media is concentrating on. Anything which listens on the network and uses SSL is a target - see http://www.spinics.net/lists/info-cyrus/msg15751.html for one example, the Cyrus mail server.