Contenido principal

Overview of OpenSSL security bug (CVE-2014-0160) on critical Colombian domain names

Abril 10, 2014

* Update on methodology and results: Statistical sample
* Update on methodology and results: Retest

The TLS heartbeat read overrun (CVE-2014-0160) (also known as The Heartbleed Bug) is the hot topic right now on the information security field. While this publication is not about the technical detail of the bug but some statistics of critical affected Colombian domains, I will show you a big picture of the vulnerability and the results of my research.

If you would like to know more about it, please take a look at the following resources: The Heartbleed Bug, Sean Cassidy's technical analysis, Robert Erbes' technical analysis.

Vulnerability summary

The Heartbleed Bug allows an attacker to read sensitive information contained in the memory of the process which depends on the OpenSSL implementation (OpenSSL from version 1.0.1 to 1.0.1f).

Sensitive information such as user credentials, session IDs, data sent to the server and received by the client, private keys, and anything you can imagine could be found by exploiting this vulnerability.

Affected users are recommended to fix the issue as soon as possible by updating to the latest version of OpenSSL (1.0.1g).

Methodology and results

Restricted Colombian domain names

Using domain name searching methods I was able to get a long-enough list of third-level domains (the list does not include subdomains) which are classified by NIC.CO as restricted user domains, this is, the person who register the domain have to meet certain legal requirements to be able to get a restricted domain name (gov.co, edu.co, mil.co, and org.co).

These domains are used by Colombian government agencies or institutions, Colombian educational sector institutions recognized by the Ministry of National Education, Agencies or institutions of the Colombian Armed Forces, and Companies or nonprofit institutions resident in Colombia.

Update note about the statistical sample

Through this methodology, a sample of 2612 domain names were found which is a 99% representative sample for a hypothetical case of 10000 (*) valid and functional domain names.
* Approximate data provided by NIC.CO

Evaluation date

Start time: 08/04/2014 - 22:48
Finish time: 08/04/2014 - 23:30

Identifying vulnerable domains

A modified version of the Jared Stafford's python script was used to identify in a non-intrusive way the affected domains (no data was stored or viewed on the test, the script just only show the status of the server).

    for domain in domains:
        result = ''
        ip = domain_exists(domain)
        if ip != False:
            if check_connectivity(domain):
                try:
                    if check_heartbleed(domain):
                        result = 'VULNERABLE'
                    else:
                        result = 'NOT-VULNERABLE'
                except Exception:
                    result = 'SECURE-CHANNEL-UNSUPPORTED'
            else:
                result = 'SECURE-CHANNEL-UNSUPPORTED'
        else:
            result = 'NON-EXISTENT'

Results

2612 restricted domain names were tested against the vulnerability (perhaps this is not the total number of valid domain names). There are 1592 domains that are not vulnerable and 252 that are (a total of 1844 domains with HTTPS support distributed on 985 different IPs, and 768 not applicable):



This is the detail of the results classified by each Third-level domain:

:arrow: gov.co, 602 not vulnerable (51.99%), 70 vulnerable (6.04%), 486 not applicable (41.97%).
:arrow: edu.co, 639 not vulnerable (68.34%), 104 vulnerable (11.12%), 192 not applicable (20.53%).
:arrow: mil.co, 17 not vulnerable (25.76%), 42 vulnerable (63.64%), 7 not applicable (10.61%).
:arrow: org.co, 334 not vulnerable (73.73%), 36 vulnerable (7.95%), 83 not applicable (18.32%).



Finally, we got the distribution of the vulnerable Colombian third-level domains:



Retest

One month later 252 domains have been tested against the vulnerability, the results are shown:

:arrow: 228 (90.48%) domains do not have the bug anymore.
:arrow: 5 (1.98%) domains turn off their HTTPS support.
:arrow: 6 (2.38%) domains do not have an A record associated on the DNS.
:arrow: 18 (7.14%) domains on 16 IPs are still vulnerable.

Comparison of vulnerable domains one month later:


Final overview of the OpenSSL security bug on Colombian third-level domain names:


Incident handling

:arrow: 08/04/2014 - Start of the security test.
:arrow: 09/04/2014 - colCERT was contacted to coordinate the incident handling and communicate the issue to the affected domains.
:arrow: 10/04/2014 - First contact with colCERT (list of 252 affected domain names was provided), they are taking now all necessary steps to solve the issue on the affected domains.
:arrow: 11/04/2014 - First contact with NIC.CO, they are working together with colCERT to solve the issue on all the affected domains.
:arrow: 08/05/2014 - Start of the security retest.
:arrow: 10/05/2014 - Final update.

Archivado en: Seguridad |

1 comentario

  1. ofprieto Abril 15, 2014 @ 8:04 am

    gracias buen informe y necesario.

Deja un comentario