Page History

...

CERT vulnerability 720951 describes a vulnerability in OpenSSL versions 1.0.1 through 1.0.1f, popularly known as "Heartbleed." . This vulnerability allows a malicious packet fed to a server using OpenSSL to trick that server into returning up to 64 kilobytes of its internal memory. This memory can contain sensitive information, including cryptographic keys, usernames, and passwords. The Following is the vulnerable code appears below:

...

:

int dtls1_process_heartbeat(SSL *s)

...

 {         
  unsigned char *p = &s->s3->rrec.data[0], *pl;

...

...

  unsigned short hbtype;
  unsigned int payload;
  unsigned int padding = 16; /* Use minimum padding */
 
  /* Read type and payload length first */
  hbtype = *p++;
  n2s(p, payload);
  pl = p;
 
  /* ... More code ... */
 
  if (hbtype == TLS1_HB_REQUEST)

...

 {
    unsigned char *buffer, *bp;

...

...

    int r;
 
    /* 
     * Allocate memory for the response; size is 1 byte
     * message type, plus 2 bytes payload length, plus
     * payload, plus padding.
     */
    buffer = OPENSSL_malloc(1 + 2 + payload + padding);

...

...

    bp = buffer;
 
    /* Enter response type, length, and copy payload */
    *bp++ = TLS1_HB_RESPONSE;

...

    s2n(payload, bp);

...

    memcpy(bp, pl, payload);

...

...

 
    /* ... More code ... */

...

...

  }
  /* ... More code ... */

...

}

...

...

The p pointer, along with payload and p1 contain , contain data from a packet. The code allocates a buffer sufficient to contain payload bytes, with some overhead, and then copies payload bytes starting at p1 into this buffer , and sends it to the client. Notably absent are any checks that payload actually indicates the correct size of the memory. Because an attacker can specify an arbitrary value for payload, he or she can cause this routine to read and return memory beyond the block allocated to p, which violates INT04-C. Enforce limits on integer values originating from tainted sources. In this case, the call to memcpy() would create a pointer that does not lie within the bounds of the character array.

...

int

 dtls1_process_heartbeat(SSL *s)

 {         
  unsigned char *p = &s->s3->rrec.data[0], *pl;

  unsigned short hbtype;
  unsigned int payload;
  unsigned int padding = 16; /* Use minimum padding */
 
  /* ... More code ... */
 
  /* Read type and payload length first */
  if (1 + 2 + 16 > s->s3->rrec.length)

    return 0;

 /*

 Silently discard */

  hbtype = *p++;

  n2s(p, payload);

  if (1 + 2 + payload + 16 > s->s3->rrec.length)

    return 0;

 /*

 Silently discard per RFC 6520 */

  pl = p;

 
  /* ... More code ... */

 
  if (hbtype == TLS1_HB_REQUEST)

 {
    unsigned char *buffer, *bp;

    int r;
 
    /* 
     * Allocate memory for the response; size is 1 byte
     * message type, plus 2 bytes payload length, plus
     * payload, plus padding.
     */
    buffer = OPENSSL_malloc(1 + 2 + payload + padding);

    bp = buffer;
    /* Enter response type, length, and copy payload */
    *bp++ = TLS1_HB_RESPONSE;

    s2n(payload, bp);

    memcpy(bp, pl, payload);

    /* ... More code ... */

  }
  /* ... More code ... */

}

Depending on the library function called, an attacker may be able to use a heap or stack overflow vulnerability to run arbitrary code.

Automated Detection

...

...