Nearly two months have passed since the public revelation of the Heartbleed bug affecting the widely used open source cryptographic library OpenSSL. The reaction of the security community, software and hardware vendors, website owners and providers of online services was almos immediate and, for the first time ever, even the wider public knew that something was very wrong.
But since then, the frenzy has died down a bit, and many now believe that the danger has passed. Not so, says Luis Grangeia, partner and security services manager at SysValue.
He proved that the same exploit that has been used to exploit Heartbleed can also be used to target any device running an unpatched version of OpenSSL, and he says the attack is successful against wireless and some wired networks. He dubbed the exploit “Cupid.”
“Cupid is the name I gave to two source patches that can be applied to the programs ‘hostapd’ and ‘wpa_supplicant’ on Linux. These patches modify the programs behavior to exploit the heartbleed flaw on TLS connections that happen on certain types of password protected wireless networks,” he explained in a blog post on Friday.
“This is basically the same attack as Heartbleed, based on a malicious heartbeat packet. Like the original attack which happens on regular TLS connections over TCP, both clients and servers can be exploited and memory can be read off processes on both ends of the connection. The difference in this scenario is that the TLS connection is being made over EAP, which is an authentication framework/mechanism used in Wireless networks. It’s also used in other situations, including wired networks that use 802.1x Network Authentication and peer to peer connections.”
“EAP is just a framework used on several authentication mechanisms. The ones that are interesting in this context are: EAP-PEAP, EAP-TLS and EAP-TTLS, which are the ones that use TLS,” he concluded.
The exploit can be successfully turned against Android devices running 4.1.0 or 4.1.1, Linux systems/devices that still have older OpenSSL libraries, and most corporate managed wireless solutions as they use EAP based authentication mechanisms. Most home routers cannot be targeted, as they use those particular authentication mechanisms.
He also pointed out that previous beliefs that Heartbleed can only be exploited over TCP connections and after a TLS handshake are false.
He published the exploit code and asked researchers to test it against more networks and devices.