In the past couple of months, many security bugs have shaken the cyber world to its very core. Some of these are said to be present and being exploited by attackers for many months and even years. While some need expert knowledge to exploit, you can exploit one attack on you own laptop. It does not always take a smart attacker to breach a security system, sometimes an improper implementation and design makes things really easy for an attacker. Knowing about these bugs could teach a lot to present days and upcoming developers and security professionals. Here is a summary of three such security bugs which have leaked our information to attackers round the world for years and have been identified recently.

1. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. Why is it called Heartbleed?, because the bug is in the OpenSSL’s implementation of the Transport Layer Security (TLS) protocols heartbeat extension (RFC6520). The attacker can grab memory from a server, without leaving any traces. This gives attacker a copy of information in memory including keys, usernames and passwords, etc. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users. Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. The vulnerability is classified as a buffer over-read.

2. The ShellShock is a vulnerability in widely used bash command shell. Since bash is used in many systems and in many different forms, this can be exploited in various ways. This bug causes bash to execute commands when they are concatenated to the end of function definitions in values of environment variables. A remote attackers utilizes this bug to execute arbitrary code and commands without having proper privileges. To test whether a system is vulnerable, you can try popping open a shell/terminal and running this command :
env X=”() { :;} ; echo you might be vulnerable” /bin/bash -c “echo hello”
If “you might be vulnerable” pops up, your system has an exploitable version of Bash installed. Exploitable bash are also used in MacOS X, android and Windows Cygwin. Attackers exploited Shellshock using botnets to carry out distributed denial of service attacks. Shellshock also has the potential to be turned into a worm — a self-replicating piece of code that automatically propagates to all Shellshock-vulnerable systems, potentially causing untold damage. Shellshock was compared to Heartbleed in its severity.

3. POODLE attack, Padding Oracle On Downgraded Legacy Encryption attack, is a name given to exploit that takes advantage of way some browsers deal with encryption. Most of the browsers use TLS protocol for secure communication, but revert back to SSL 3.0 when TLS connection is not available for interoperability. An attacker takes advantage of this, using Man-in-the-middle attack, forcing use of SSL 3.0. POODLE is used to target browsers that uses SSL 3.0 protocol for encryption and authentication. Attacker exploits a design flaw in SSL 3.0, that allows the padding data at the end of a block cipher to be changed so that the encryption cipher become less secure each time it is passed.

POODLE is an example of a vulnerability that succeeds thanks to a mechanism designed for reducing security for the sake of interoperability. Such flaws call for extra care when designing systems in domains with high levels of fragmentation. In such domains graceful security degradation may become common.

Google researchers Bodo Moller, Thai Duong and Krzysztof Kotowicz discovered (and named) the POODLE vulnerability and warned the IT community that the only way to prevent POODLE attacks is to stop using SSL 3.0.

Out of the above three, Heartbleed was rated most serious vulnerability which affected systems for nearly 2 years. It resulted from improper input validation (due to a missing bound check) in the implementation of the TLS heartbeat extension. This shows that it was an implementation issue and not a design issue. POODLE as already mention resulted because of reducing security for interoperability. Since this was done intentionally, it can be mentioned in the category of design flaw. To avoid such incidents in future, we should think like both an implementer and an attacker while designing and implementing protocols and software.

The only solution to be protected against these and against many more unidentified vulnerabilities is to keep system updated and remain yourself updated about new vulnerabilities.

Anurag Shandilya
M.Tech (CLIS)
IIIT Allahabad