The Heartbleed bug: How a flaw in OpenSSL caused a security crisis

That’s how it’s supposed to work. The Heartbleed vulnerability arose because OpenSSL’s implementation of the heartbeat functionality was missing a crucial safeguard: the computer that received the heartbeat request never checked to make sure the request was actually as long as it claimed to be. So if a request said it was 40 KB long but was actually only 20 KB, the receiving computer would set aside 40 KB of memory buffer, then store the 20 KB it actually received, then send back that 20 KB plus whatever happened to be in the next 20 KB of memory. There could be all kinds of things in that 20 KB, because even when a computer is done with information, that data persists in memory buffers until something else comes along to overwrite it. That extra 20 KB of data is information that the attacker has now extracted from the web server.

Why is Heartbleed dangerous?

Heartbleed is dangerous because it lets an attacker see the contents of that memory buffer, which could include sensitive information. Admittedly, if you’re the attacker, you have no way to know in advance what might be lurking in that 20 KB you just grabbed off the server, but there are a number of possibilities . It could be gibberish or useless cruft. If you’re really lucky, you could get SSL private keys, which would allow for the decryption of secure communication to that server; this is unlikely, but would be the holy grail for an attacker. More commonly, you could get back usernames and passwords that had been submitted to applications and services running on the server, which would allow you to log in to those apps and gain access to user accounts.

Randall Munroe’s web comic xkcd is known for making difficult scientific concepts accessible, especially in computer science, Munroe’s specialty. This xkcd comic from 2014 does a great job of summarizing how the Heartbleed vulnerability works in a concise way.

How was Heartbleed discovered?

Heartbleed was actually discovered by two different groups, working independently, in very different ways: once in the course of a review of OpenSSL’s open source codebase, and once during a series of simulated attacks against servers running OpenSSL. The two independent discoveries happened within weeks of one another, which is somewhat ironic considering that the vulnerability had lurked undetected for two years.

Codenomicon proceeded quite differently from Google: not only did they publicize their discovery, but they branded it : they were the ones who came up with the Heartbleed name, and they even designed a logo for it. It was one of the first (though by no means the last) examples of a security company turning the discovery of a vulnerability into a marketing opportunity .

Heartbleed CVE

The identifier for Heartbleed in the common vulnerabilities and exposures (CVE) system is CVE-2014-0160 ; you can follow that link for a wealth of information about the bug. “Heartbleed” is obviously a lot catchier, so you can understand why Codenomicon’s name stuck.

memcpy() is the command that copies data. bp is the place it’s copying it to, pl is where it’s being copied from, and payload is the length of the data being copied. As we’ve seen, the problem is that there’s never any attempt to check if the amount of data in pl is equal to the value given of payload .

The most ironic thing here is that OpenSSL is open source software. Anyone could look at the code, and presumably hundreds did, but until Mehta and the Codenomicon team stumbled upon it, nobody noticed this fairly elementary coding error. In fact, because open source projects like OpenSSL meticulously keep track of contributors, we know whose error it was: Robin Seggelman, a German software developer , who had made numerous contributions to the OpenSSL project.

Heartbleed exploits: Who is affected by Heartbleed?

There have been real-world exploits of the Heartbleed vulnerability, though it’s not clear if any took place before the bug was widely publicized. It’s possible that some attempted attacks detected by security companies as early as 2013 were probing for the vulnerability—and some think the attackers were government security agencies .

After April of 2014, when Codenomicon made the vulnerability public, there was a flurry of activity and a certain amount of chaos as companies scrambled to update their systems; for instance, Yahoo and OKCupid users were briefly advised not to log into their accounts until those services managed patch their installs of OpenSSL, and to change their passwords once they did regain access.

While those big companies managed to get their ducks in a row before anything bad befell them, hackers were able to exploit the vulnerability in several cases. An attack on Community Health Systems that stole patient data was blamed on Heartbleed, as was the theft of hundreds of social ID numbers from the Canadian Revenue Agency .

Heartbleed cost

Heartbleed had costs that went beyond the damages caused by these successful attacks; Security Magazine estimated that just the cost of thousands of organizations needing to revoke and replace their SSL certificates could run as high as $500 million . Add in the worker-hours required to check and update systems and you have a big spike in spending that can be directly tied to this vulnerability.

The Heartbleed fix

The Heartbleed fix was rolled out in version 1.0.1g of the OpenSSL library, released on April 8, 2014, and was also included in all subsequent versions of the software. You can fix the Heartbleed vulnerability by upgrading to the latest version of OpenSSL, and can find links to all the latest code on the OpenSSL website .

If you’re curious about the code that implements the fix, you can look at it—after all, OpenSSL is open source:

/* Read type and payload length first */

if (1 + 2 + 16 > s->s3->relent)

return 0;

/* silently discard */

hbtype = *p++;

n2s(p, payload);

if (1 + 2 + payload + 16 > s->s3->rrec.length)

return 0;

/* silently discard per RFC 6520 sec. 4 */

pl = p;

The first part of this code makes sure that the heartbeat request isn’t 0 KB, which can cause problems. The second part makes sure the request is actually as long as it says it is.

Is Heartbleed still a problem?

Given that Heartbleed was discovered and patched more than eight years ago, you may be surprised to learn that many servers are still harboring the Heartbleed vulnerability—in fact, there were over 200,000 online in November 2020, according a researcher at the SANS Internet Storm Center . While that number has probably come down a bit since then, there are almost certainly a number of vulnerable servers still waiting to be hacked. Seasoned security pros probably won’t be that surprised to learn this—it’s all too common for companies to neglect patching to avoid downtime on mission-critical systems without backups or simply out of neglect—but the sheer number of unpatched machines should be a wakeup call on the importance of rolling out a robust patch management program in your own shop.

Heartbleed vulnerability test: How to detect Heartbleed

You can easily test your servers to detect the Heartbleed vulnerability using free online tools. For instance, pentest-tools.com has a free web-based test that lets you input a URL to discover if a server has been properly patched for Heartbleed and a number of other vulnerabilities.

If you discover that a server under your control has been left vulnerable for some time, there’s more to do than just update the OpenSSL code. For instance, you should change the SSL certificates used by the servers, since they may have been compromised without leaving a trace. More pedestrian but still important: users who have accounts on the system should change their passwords.