2

Say my home router uses an OpenSSL version that is vulnerable to Heartbleed and I have the admin page enabled and accessible from the outside (even though I never use it).

What can a hacker do?

Could he for example read any traffic on my router or could he maybe get access to the admin page?

As I understand now, it can only read memory from the same process, so as long as I don't log in myself, there is not much interesting data there. However, from this answer I understand that there seems to be something with mmap that might make it possible to read memory from a different process.

Quoting the quote from that answer:

However, if mmap is used, all bets are off. Any memory not in use could be allocated for mmap. This is what the most of the attacks against Heartbleed will target.

EDIT: This question asks about specific routers, their software version and which ones would need patching. The answers there are very different from what I'm looking for here. Also the answers here are not really applicable for that question. I actually read that question and the answers before posting this question and at that time didn't even feel like it was similar enough that I had to mention it in my question.

The difference lies in the fact that this question more addresses what the specific risk is to ordinary people with home routers while the other question is more focussed on which routers are vulnerable and how to patch them.

Hence I don't think this should be marked as duplicate.

Community
  • 1
Matthijs Wessels
  • 443
  • 1
  • 6
  • 10

2 Answers2

3

A lot of things, actually, depending on your router model. He could:

  • Dump all your traffic and read the unencrypted sessions...
  • ...and try to attack the encrypted ones with tools such as sslstrip
  • Perform Man in the Middle attacks to modify the pages you are viewing, possibly to add browser exploits
  • Use the router as a relay to attack the rest of your home network
  • Worst case scenario, he may also be able to flash your router's firmware

So basically, don't have an internet facing router administration page.

executifs
  • 4,772
  • 4
  • 23
  • 25
  • The admin page is password protected. Can he get access to it through the heartbleed bug? – Matthijs Wessels Apr 14 '14 at 10:02
  • Maybe. If the password somehow ends up in the memory of your router's web server (yes, someone would have to log in for that). You should read up on how heartbleed works, these problems have been extensively discussed. I hadn't realized it was another one of those "How does Heartbleed affect ME?" questions. – executifs Apr 14 '14 at 10:49
  • Well my own router doesn't have the admin page enabled, but I know a bunch of people for who I handle their computer stuff. I was wondering if I needed to check up on them. I found [this article](http://www.huffingtonpost.com/2014/04/11/heartbleed-routers_n_5132306.html) which suggests to turn off the admin page in response to the heartbleed bug, which would suggest that it exposes something specific. I was a bit confused by the quote on mmap whether it can read memory from other processes or not and also don't know enough about routers to know what goes on inside to asses their vulnerability. – Matthijs Wessels Apr 14 '14 at 12:03
  • 2
    Well, regardless of the OpenSSL bug, you should encourage them to not have a public-facing admin page then. If they don't use it, they might as well disable it indeed, because it will help mitigate all the future exploits. As for the heartbleed impact in this particular case, I would guess that it's relatively limited. – executifs Apr 14 '14 at 12:09
3

Exposing your router's admin interface to internet is an extremely bad idea and should be completely avoided when possible. The router's admin page can be attacked from outside using various ways:

  • Brute-forcing your admin username and password
  • Exploiting a vulnerability in the page itself (think XSS or SQL Injection for example)
  • Exploiting a vulnerability in other services (routers often run other services than a web server, e.g. UPnP, FTP or SMTP, or using the recent Heartbleed vulnerability to retrieve some data, including username/password)

Once an attacker gets access to your router admin interface, he can do a lot of things, including (but not limited to) :

  • Man-in-the-middle attacks against your web communications (but not against HTTPS, as this would trigger your browser to alert you)
  • Injecting malicious content in your communications
  • Sniff and record all the unencrypted trafic that goes in/out your router
  • Use the router as a pivot to attack your LAN equipments (PC, Console, TV, anything connected to your LAN really)

Although I don't see any valid reason to expose the admin interface on internet, if you really have to do it, then you want to take appropriate measures to limit the risk, such as:

  • Limit access to a restricted number of IP adresses
  • Monitor access to the admin page, to at least receive an email/sms when it is modified
  • Log everything (access, modification)
  • If the router allows it, limit the functionnality available from external connections

A better way to do it would be to allow access from outside to an internal host (a jump-host) through a secure channel (e.g. a VPN connection), and from that host access the admin interface of the router.

In response to your edit regarding the Heartbleed bug and exploit:

The Heartbleed bug allows an attacker to read 64K chunks of the OpenSSL Process memory, and as far as I know, it is impossible to read another process memory space. But in fact, an attacker doesn't event need that, as the OpenSSL process memory itself already contains a lot of sensitive information. For example, you can find valid session cookies or even username and passwords for the affected application.

  • Examples of what can be dumped from the OpenSSL process memory :

Valid Session Cookies

ack__
  • 2,728
  • 14
  • 25
  • About your response, in case of an unused admin page, this sensitive information won't be present in the memory right? Or is there other information in the accessible OpenSSL process' memory on the router? – Matthijs Wessels Apr 14 '14 at 16:02
  • 1
    Although it should not be in memory, I guess it really depends on what "unused" exactly means in your situation. I wouldn't be surprised to see data in memory remains long after it has been writen and used by the OpenSSL process. Then it also depends on which memory management API has been used by the process. I asked a related question here :http://security.stackexchange.com/questions/55593/heartbleed-and-heap-management-why-user-data-and-passwords-are-kept-in-memory – ack__ Apr 14 '14 at 19:13
  • 1
    As of the other information in memory, it can include the private key(s) used by OpenSSL, and any data that transited through OpenSSL for an other service (e.g. FTPS trafic that would leave username/password + FTP data in memory). – ack__ Apr 14 '14 at 19:16
  • With competently-coded router firmware, the password should not be in memory if you haven't used the admin page since the router was last power-cycled. Router manufacturers are not known for their competent coding. – Mark Apr 25 '14 at 06:42