The solution to known vulnerabilities in open source package — take the SSL vulnerability as an example
Publication Date: 2020 / 07 / 27
Original Source: https://www.onwardsecurity.com/laboratory/item/26
Remember that? In April 2014, the open-source OpenSSL Management Committee issued a serious information security vulnerability that shocked the world. A vulnerability called Heartbleed allows attackers to read server memory. In that year, it affected more than half of the world’s website operations. However, as time progresses, it is not difficult to find that this is not the only vulnerability caused by Secure Sockets Layer (SSL). What other potential threats from the SSL vulnerabilities can lead to risks? How to effectively detect and prevent threats early? This article will help you understand more about them.
Information security threats hidden in SSL
SSL is a network security protocol developed by Netscape. It uses public-key encryption to realize secure data communication on the Transmission Control Protocol/Internet Protocol (TCP/IP). SSL is widely used in various types of networks and applications to provide three basic secure communication services: message encryption, message integrity and two-way authentication.
The Heartbleed vulnerability that has severely damaged the global network encryption transmission security is caused by the OpenSSL encryption suite — Heartbleed extension. Due to a missing bounds check, attackers can read up to 64 KB of data beyond the requested location without using any privileged information or credentials. In other words, the user’s data (including e-mail, account password or financial transaction, etc.) may be stolen by hackers. The vulnerability was exposed in April 2014, but it has been operating continuously in OpenSSL for two years. That is to say, from 2012 to 2014, websites, systems or devices that used the OpenSSL open source packages for SSL implementation were exposed to serious security risks. Since the Heartbleed vulnerability has a large impact, it is considered the most serious information security vulnerability of the year .
Besides, in 1998, the Swiss cryptographer Daniel Bleichenbacher who worked at Bell Labs discovered another security breach in the encryption algorithm used by OpenSSL. Through a simple Brute-force Attack, the hacker can obtain the encryption key used between the server and the client, while using it to decrypt the confidential and sensitive data that the victim browses and transmits on the network. The attack method extended by exploiting this vulnerability is named Bleichenbacher attack. This vulnerability has been proposed many years ago, but until 2017, there are still many morphing attacks that have been derived and endanger the security of the Internet. Among them, DROWN (Decrypting RSA Using Obsolete and Weakened eNcryption) attack  and ROBOT (Return of Bleichenbacher’s Oracle Threat) attack  are the most well-known. According to expert estimates in 2016, about 33% of websites worldwide were affected .
Countermeasures against the security vulnerabilities of SSL
The Heartbleed vulnerability is caused by Heartbleed. The latter is an extension program launched by OpenSSL, which can keep the connection longer and avoid wasting too many resources to re-establish the connection. However, the Heartbleed vulnerability is hidden in this extension. Attackers can modify the Request packet to make the vulnerable web server respond with inappropriate memory content. The content can contain the user’s important and sensitive data such as personal information, private key, name, password, credit card information, etc. The solution is to update the version of the OpenSSL library used by the website. At the same time, the user must also assume that the certificate private key may have been stolen and leaked, so it is necessary to revoke the old private key and generate a new certificate.
As for the Bleichenbacher attack, if the website administrator chooses to use the RSA encryption algorithm as the key exchange encryption technology between the website and the user, the server operation process will have exploitable vulnerabilities. By using the simple Brute-force Attack and observing the response of the server, the attacker can guess the communication key to steal encrypted confidential and sensitive information. The key point of patching this vulnerability is to avoid using RSA encryption algorithm and Public Key Cryptography Standards (PKCS) padding technology.
In order to reduce the impact of information security threats, the OpenSSL Management Committee refers to these past cases and divides security vulnerabilities into four categories: serious, high, moderate and low depending on the severity. Vulnerabilities that leak user information or cause remote code execution are classified as “serious”, and those at this level will be dealt with first and quickly.
Never-ending vulnerabilities lead to high security risks
The online world is always a battlefield for hackers. As long as there are vulnerabilities, hackers have the opportunity to find weaknesses and create threats. Taking the issue of SSL vulnerabilities discussed in this article, even if all IT engineers in the world can find ways to deal with Heartbleed, DROWN and other vulnerabilities, by the end of 2019, there are still websites and systems that have not patched these vulnerabilities . Because of this, hackers are happy to attack these old vulnerabilities. For hackers, they are more willing to attack the vulnerabilities that have existed for a long time than to research new ones in order to achieve the purpose of quickly destroying or stealing data. In mid-April 2020, OpenSSL revealed a new severity level vulnerability numbered CVE-2020–1967 . This vulnerability is similar to Heartbleed, because it is also caused by coding errors. Based on it, attackers can perform Denial of Service (DoS) attacks to paralyze the entire system. After the vulnerability was revealed, the OpenSSL Management Committee simultaneously issued an update, and notified the websites and device manufacturers to take corresponding measures for protection and patch.
In addition to the vulnerabilities disclosed by OpenSSL, Open Web Application Security Project (OWASP) released its top 10 cybersecurity risks in 2017. According to its published list, the vulnerabilities of third-party components are considered to be one of the vulnerable objects and are easily attacked. The ninth item details the problems of “A9-Using Components with Known Vulnerabilities” are listed in detail .
Usually, the major reason for the inability to effectively control the attack is negligence in inspection (because new vulnerabilities continue to be discovered) or lack of countermeasures. Therefore, the best way to reduce cybersecurity risks is to efficiently identify information security threats and formulate countermeasures.
Find out the security vulnerabilities from the R&D and testing stages
For these recurring vulnerabilities, the source is the first place to effectively reduce information security risks. Onward Security provides HERCULES Product Security Compliance Automation Platform. Through its HERCULES SecFlow Product Security Management System, the R&D team can use Open Source Risk Management in the software design and development stage to confirm whether the system has major security vulnerabilities such as Heartbleed and Bleichenbacher, so as to protect and correct their products from the source. Meanwhile, they can use the HERCULES SecDevice Vulnerability Detection Automation Tool (which provides test environment configuration, security assessment and other automated functions for connected products) to carry out OpenSSL-related Common Vulnerabilities and Exposures (CVE) detection. More than 120 test items can detect known and unknown vulnerabilities, allowing the team to perform dual security checks during the design and testing phases. It is effective for reducing the risk of information security before the website system or product project goes online or goes on the market.
On the News