The Other Side of Heartbleed - Client Vulnerabilities

Published: 2014-04-11
Last Updated: 2014-04-11 12:16:23 UTC
by Rob VandenBrink (Version: 1)
3 comment(s)

We're getting reports of client applications that are vulnerable to the heartbleed issue.  Just as with server applications, these client applications are dependant on vulnerable versions of OpenSSL.

Another "patch soon" problem, you say?  The patch will be installed when the vendor ...  oh, wait a minute.  Just exactly when will your TV's manufacturer update the web browser on your TV?  And when will you be applying that patch?  How about your in-laws TV?  This vulnerability on the client side has the potential to be much longer-lived than on servers.

This combines the problem of the specific heartbleed vulnerabilty with the problem of embedded devices that may never be updated.  Or devices that are updated by vendors for a year or two after release, then abandoned when the new model comes out - home routers and TV sets are great examples of this situation, but so are medical devices.

To add to that list, there is a large contingent of Android phones that have updates maintained by the carrier instead of the manufacturer (google), and do not see frequent updates, or may never see an update.  These devices are used daily for almost everything - online banking comes immediately to mind.  The combination of a general purpose device and a vulnerability that exposes memory to an attacker (in this case, a malicious or infected server) has the potential for some widespread mayhem, for as long as that device remains in service (years instead of weeks or months)

Other applications that encrypt but we don't often think of as "clients" include traditional database software, cloud services clients, dedicated / custom browsers for online services like entertainment, even device drivers for hardware all need to be assessed.  It's also easy to say "client application XX is vulnerable", but that client application might exist on your PC, multiple tablet or phone platforms, TVs, DVRs, excercise equipment, fridges, thermostats - the list grows to include things that are smaller and smaller, that are less and less likely to be updated.

Client applications that are currently reported as vulnerable are:

  •     MariaDB 5.5.36
  •     wget 1.15 (leaks memory of earlier connections and own state)
  •     curl 7.36.0
  •     git 1.9.1 (tested clone / push, leaks not much)
  •     nginx 1.4.7 (in proxy mode, leaks memory of previous requests)
  •     links 2.8 (leaks contents of previous visits!)
  •     OwnCloud

(from http://security.stackexchange.com/questions/55119/does-the-heartbleed-vulnerability-affect-clients-as-severely )

If you've got confirmation of other vulnerable client applications, please post the relevant information (with links) in our comment section. 

===============
Rob VandenBrink
Metafore

Keywords: client heartbleed
3 comment(s)

Comments

AnyConnect for Apple iOS is vulnerable to CVE-2014-0160 - Heartbleed
Cisco Advisory CSCuo17488 - https://tools.cisco.com/bugsearch/bug/CSCuo17488

All versions as of 11 April 2014 are vulnerable - no fix available as of this date.

AnyConnect for Android and AnyConnect for Desktop OS's are all confirmed NOT vulnerable.
Juniper Odyssey 802.1x Client 5.6r5 and later
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA106234
Junos Pulse VPN client, various versions:

1. Junos Pulse (Desktop) version 5.0R1 to 5.0R3
2. Junos Pulse (Desktop) 4.0R5 to 4.0R9.1
3. Network Connect (windows only) version 7.4R5 to 7.4R9.1 and 8.0R1 to 8.0R3.1. This client component is impacted only if used in FIPS mode. Non-FIPS version of Network Connect clients are not impacted.
4. Junos Pulse (Mobile) for Android version 4.2R1 to 5.0R3
5. Junos Pulse (Mobile) for iOS version 4.2R1 to 5.0R2 and higher. This client component is impacted only if used in FIPS mode.

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623
http://kb.juniper.net/InfoCenter/index?page=content&id=KB29004&actp=RSS

Patches are available for all versions.

Diary Archives