3

given the recent exposure of the information leak stemmed from buffer-overrun of HTML-parser of CF's edge servers; fundamentally how it is different from HeartBleed?

CloudFlare have detailed the bug here: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

But can someone give it in layman's terms?

kmonsoor
  • 131
  • 4
  • 1
    no, they're not. That asks about the impact (outcome), while I'm interested about working-mechanism (process) ... – kmonsoor Feb 24 '17 at 22:46
  • Agreed. I don't think the impact question currently has an answer giving the kind of detail that is given here on the topic of differences. – Jeff Ferland Feb 24 '17 at 23:11

1 Answers1

5

Both Heartbleed and Cloudbleed were webserver bugs that returned sensitive data from buffers that they shouldn't have. That's the similarity (and why they're both called "bleed".)

One major difference is that Heartbleed was a fault in openssl, which is a library in use by millions of web servers. Fixing Heartbleed required each web server to be patched. Cloudbleed is a flaw in a proprietary web server, and only impacts Cloudflare hosted sites. Cloudflare owns all the servers impacted, and has patched them all.

Another difference is that Cloudbleed was fixed and patched quickly upon discovery, preventing attackers from studying the flaw in depth and figuring out possible ways to use the leaked data to further exploit the servers. Heartbleed was studied in detail over the long time it took to patch all the servers, and it was discovered that memory containing information regarding the private key could be stolen.

Yet another difference is that the data leaked by Cloudbleed was in the ordinary data stream returned by the web server, and the leaked data could linger in whatever search engines might have cached it. The data leaked by Heartbleed was only in response to a heartbeat request message, which is not normally requested or cached by search engines. (Thanks to @gowenfawr and @Krazor for pointing this out.)

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • The other difference of note is that the damage done by Cloudbleed will linger in whatever search engines might have indexed and cached it, whereas Heartbleed was more ephemeral. – gowenfawr Feb 24 '17 at 20:29
  • *'Preventing attackers from figuring out possible ways to exploit the leaked data.'* You might want to make it more clear that, once data is leaked by CloudBleed, it is gone and can be exploited for good. This answer makes it sound like now that the vulnerability is patched, all leaked data is worthless, which it surely isn't. In fact taviso himself, wrote about several types of data he's discovered. [1] Any attacker who managed to exploit this flaw might as well figure out passwords etc. [1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1139 – FMaz Feb 24 '17 at 20:49