Re: Heartbleed, clients and Android

[Hanno Böck <hanno () hboeck de>]

On Wed, 9 Apr 2014 11:54:58 +0200
Yves-Alexis Perez <corsac () debian org> wrote:

> On Wed, Apr 09, 2014 at 11:30:29AM +0200, Hanno Böck wrote:
> > I was asking myself some questions and I think others with more
> > insight into what heartbleed means may be able to answer quickly:
> > How does this affect client software? The PoCs we see send some
> > malicous payload to servers and get some memory dumps. That doesn't
> > affect clients?
>
> Yes, it does affect clients.

Can anyone explain how an attack scenario would work?
Is it like:
* we have a Man-in-the-Middle.
* Client/Server establish connection.
* MitM inserts a malicious package with the heartbeat-payload and sends
  it to the client, client parses package, verifying MAC fails, but it
  still will output memory

Or is it ONLY an issue if we contact a malicious server that may
extract random information from the application's memory? (which would
reduce the impact somewhat, e.g. operating system update systems or
wget etc. wouldn't have to worry)


> > Because the latter
> > would include Android. We are all pretty aware that android updates
> > are in large parts nonexistent.
>
> I don't have much clue about Android, but I think I heard heartbeat
> was disabled in Android, but I don't have a link right now. Also, I'm
> unsure what actually use libssl in Android and what uses NSS.

Seems Android disabled Heartbeat in 2012:
https://android.googlesource.com/platform/external/openssl.git/+/android-4.1.2_r1

Still leaves some android versions as potentially vulnerable.


-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: signature.asc
Description: