In a recent open source hackathon, we found three Linux kernel vulnerabilities: CVE-2017-7645, CVE-2017-7895, and CVE-2017-8797. Here’s how we found them.
Earlier this month WikiLeaks announced it had in its possession a cache of zero days allegedly from the Central Intelligence Agency. These unpatched vulnerabilities, it said, could affect Apple and Android devices (including TVs). It is suspected that exploitation of these vulnerabilities could allow the spy agency – or anyone else who knows about them — to surveil targets by activating microphones and receivers as well as eavesdropping on communications.
The new Cloudbleed vulnerability, like Heartbleed, was discovered through routine fuzz testing and may affect 5.5 million websites and millions of users.
When it comes to software vulnerabilities, Dr. Jared DeMott knows his stuff. Formerly a vulnerability analyst with the National Security Agency (NSA), Dr. DeMott holds a Ph.D. from Michigan State University. He has been on three winning DEF CON capture-the-flag (CTF) teams and talks about his vulnerability research at conferences like DerbyCon, Black Hat, ToorCon, GrrCON, and HITB. He is currently the co-founder of VDA Labs.
Ticketbleed is a software vulnerability in a feature of the TLS/SSL stack that allows a remote attacker to extract sensitive information.
Two years after its disclosure, the vulnerability in OpenSSL known as Heartbleed remains significant. There are valuable lessons still to be learned both about how the vulnerability was initially discovered and how the security community has responded over time.
During past few months, Synopsys R&D has been busy with improving the Defensics instrumentation capabilities. Focus has been given to providing more powerful tools for controlling and monitoring the status of the system under test (SUT). Fuzzing is an effective testing technique but it is sometimes hard to detect an exact testcase or sequence which caused the failure in SUT. For setting up better diagnostic for SUT and enabling improved information flow from test target to Defensics test solution, we have developed the Defensics Agent Instrumentation Framework.
Posted in Fuzz Testing
By now, you’ve surely heard about the Heartbleed vulnerability (CVE-2014-0160) in OpenSSL 1.0.1 through 1.0.1f (inclusive). The vulnerability has been present in OpenSSL since December 2011. Many websites have discussed the details of the bug, and I will not go into the deep technical details here. I will describe the bug at a high level, and then discuss the impact of the bug and what you should do about it. In the remainder of this post, I’ll refer to “vulnerable versions of OpenSSL” as simply OpenSSL. Overview of the Heartbleed vulnerability Although the bug that causes the Heartbleed vulnerability is in the OpenSSL library, it has nothing to do with the SSL/TLS protocols themselves. It involves code that handles the heartbeat extension (RFC 6520) for TLS/DTLS. The heartbeat messages can be sent even before a TLS handshake is completed. RFC 6520 states: However, a HeartbeatRequest message SHOULD NOT be sent during handshakes… The receiving peer SHOULD discard the message silently, if it arrives during the handshake. Due to the use of ‘SHOULD,’ these are recommendations and not requirements. OpenSSL apparently responds to heartbeat requests even before the handshake is completed. So, even servers that require client certificates for authentication are vulnerable.