Once Bled, Twice Shy (OpenSSL: CVE-2014-0195)

Authored by: Ricky Lawshae (headlesszeke)

 

Several weeks back, a vulnerability in OpenSSL's "heartbeat" functionality came to light which bled the contents of a server's memory into its response packets. It was appropriately dubbed "heartbleed" and was kind of a big deal.

One happy side-effect of this vulnerability, however, was a sudden and significant increase in scrutiny of the OpenSSL codebase from the security research community, which is long overdue for something relied on so heavily and universally. It should come as no surprise that heartbleed was just the tip of the vulnerability iceberg.

Earlier today, ZDI published an advisory for a critical bug discovered by Jüri Aedla in OpenSSL's implementation of Datagram Transport Layer Security (DTLS). What makes this bug serious is the fact that it can actually lead to remote code execution from an attacker. For a more in-depth analysis and technical details ofthis vulnerability and its implications, please see the Zero Day Initiative blog posting.

From a high level, the bug involves an implicit trusting of length values specified in fragmented DTLS Client Hello messages. When a DTLS packet is fragmented, it specifies the lengths of each fragment as part of that fragment's header data. These length values are then used to create a buffer and determine how much data is read into that buffer: 

codesnippet.png

 

However, only the initial fragment length is used when creating the buffer, while subsequent fragment lengths are still used for deciding how much data to read into it. If a Client Hello message contains an initial fragment with a very small length, and a second fragment with a very large length, this can cause more data to be read into memory than the process was prepared to handle, leading to a buffer overflow. Obviously, this is a very serious flaw, but as usual, the Digital Vaccine team has come to the rescue.

Since DVLabs became aware of this vulnerability last month, HP TippingPoint customers have been provided with three different levels of protection against it in the form of filters 13873, 13874, and 13875. While filter 13874 is designed to detect the attack itself, filters 13873 and 13875 are geared towards broader methods of coverage. Filter 13875 will detect the usage of fragmentation in DTLS Client Hello messages. In a normal DTLS session negotiation, it's pretty rare to see fragmentation being used on a message as small as a Client Hello, so it is fairly safe to assume that something out of the ordinary is going on when it is seen. And if our customers want to take things even further, the usage of DTLS in general can be detected by enabling filter 13873. Obviously, there is nothing inherently malicious in using DTLS, but if it is not needed or normally seen in a particular environment, then this filter can make sure it never is. With this type of customizable detection granularity, an effective level of protection can be achieved in any environment.

This is probably not going to be the last vulnerability that is uncovered with all the focus being giving to OpenSSL, and more than likely others will be following quickly. But rest assured that when they do, the Digital Vaccine team will be there to provide the prompt and effective coverage that everyone needs.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Steve Povolny manages the Digital Vaccine team at HP TippingPoint. The team is composed of security researchers and filter/signature develo...


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.