Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

What is Heartbleed? A coding error that caused a security crisis

Josh Fruhlinger | Sept. 14, 2017
The mistake that caused the Heartbleed vulnerability can be traced to a single line of code in OpenSSL, an open source code library. Here's how Heartbleed works, how it was exploited, and how to fix it if you have an unpatched server.

This is the crucial part of the operation. Even when a computer is done with information, it persists in memory buffers until something else comes along to overwrite it. If you're the attacker, you have no way to know in advance what might be lurking in that 20 KB you just grabbed off the server, but there are a number of possibilities. It could be gibberish or useless cruft. You could get SSL private keys, which would allow for the decryption of secure communication to that server (this is unlikely, but would be the holy grail for an attacker). More commonly, you could get back usernames and passwords that had been submitted to applications and services running on the server, which would allow you to log in and gain access.

Randall Munroe's web comic xkcd is known for making difficult scientific concepts accessible, especially in computer science, Munroe's specialty. This comic from 2014 does a great job of summarizing how the Heartbleed vulnerability works in a concise way.


Heartbleed bug code

The coding mistake that caused Heartbleed can be traced to a single line of code:

memcpy(bp, pl, payload);

memcpy() is the command that copies data. bp is the place it's copying it to, pl is where it's being copied from, and payload is the length of the data being copied. The problem is that there's never any attempt to check if the amount of data in pl is equal to the value given of payload.

The most ironic thing here is that OpenSSL is open source software. Anyone could look at the code, and presumably hundreds did, but nobody noticed the fairly elementary coding error.


Heartbleed exploits

It's not clear if any real-world exploitation of the Heartbeat vulnerability took place before it was widely publicized. It's possible that some attempted attacks detected by security companies as early as 2013 were probing for the vulnerability — and some think the attackers were government security agencies.

After April of 2014, when the vulnerability was made public, companies scrambled to update their systems, but hackers were able to exploit it in several cases. An attack on Community Health Systems that stole patient data was blamed on Heartbleed, as was the theft of hundreds of social ID numbers from the Canadian Revenue Agency.


How to fix the heartbleed vulnerability

Patches were rolled out for OpenSSL right away when the vulnerability was announced, and in all likelihood most formerly vulnerable servers have been updated by this point, but it can't hurt to test if you're not sure — it's always possible that some server that's important to you has been chugging along for years without a proper upgrade. has a free web-based test that lets you input a URL to discover if a server has been properly patched.


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.