News Feature | June 16, 2014

Introducing Cupid: Heartbleed Just Got More Dangerous

By Ally Orlando, contributing writer

Cupid & Heartbleed

Internet users felt threatened enough by the Heartbleed bug, but recent research reports a new variant. “Cupid” is an open source code that makes it easier to access passwords and could potentially expose enterprise networks and devices.

Introduced in April, the Heartbleed bug exploits a vulnerability in the OpenSSL cryptographic software library — used by at least two-thirds of all Internet sites — that allows encrypted information to be stolen. This information is normally protected by SSL/TLS (secure sockets layer/transport layer security) encryption that provides privacy for personal information associated with web, email, messaging, and private networks.

Systems protected by vulnerable versions of OpenSSL software are subject to cybercrime. Cyber criminals can obtain usernames and passwords, read private conversations, obtain private data, and even commit identity theft.

Researcher Luis Grangeia, of the Portuguese consulting firm Sysvalue, discovered these new OpenSSL threats, called “Cupid.” In a recent blog post, he explains Cupid exposes TLS connections over the Extensible Authentication Protocol (EAP), which allows authentication mechanisms — such as smart cards and one-time passwords — to be deployed over wireless networks.

Similar to Heartbleed, Cupid can be used to exploit clients and servers though TLS. However, rather than relying on an attacker to obtain sensitive information, it is triggered before a password is even required, Grangeia says. To do damage, Cupid does not require a fully established TLS connection or an exchange of a key or certificates.

“To exploit vulnerable clients, hostapd (with the Cupid patch) can be used to setup an ‘evil’ network such that, when the vulnerable client tries to connect and requests a TLS connection, hostapd will send malicious heartbeat requests, triggering the vulnerability,” Grangeia writes.

“To exploit vulnerable servers, we can use wpa_supplicant with the Cupid patch. We request a connection to a vulnerable network and then send a heartbeat request right after the TLS connection is made.”

Grangeia did not specify which information could be exposed in the memory of vulnerable systems, but speculates that the private key and credentials used to authenticate the TLS connection are likely to be compromised in a Cupid attack.

He did, however, confirm that the default installations of wpa_supplicant, hostapd and freeradius are exploitable on systems using Ubuntu with a vulnerable version of OpenSSL. Android users running versions 4.1.0 and 4.1.1 with a vulnerable OpenSSL may also be at risk. One exception is home routers, which do not use EAP mechanisms.

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi Inc., says Cupid may have been the first variant of the Heartbleed bug, but it will not be the last.

“Hackers know the value that keys and certificates add to their toolkit and will continue to exploit them until businesses have them fully inventoried and know where they all are at any given time.”

To mitigate cyber threats, experts suggest businesses avoid connecting to unknown wireless networks and test existing corporate networks.