OpenSSL Vulnerability – The Heartbleed Bug

On April 7, 2014 a vulnerability [CVE-2014-0160 – know as Heartbleed] was released that could allow attackers to view sensitive information in a server’s memory such as secret keys and passwords. There are a million and 1 posts around the internet now with more details on this vulnerability so i am not going to go in to details here.

You will find a nice tool on github to test if your system is vulnerable. To use this tool you must have Go 1.2.x installed.

Once installed i ran a scan across my network looking for vulnerable machines:

sudo nmap -sS -p 443 -oG output.txt 192.168.1.0/24

Now run the output file through the tool:

grep open output.txt  | awk '{print $2}' | xargs -I % ./Heartbleed %:443

The output will look something like this:

2014/04/08 10:51:28 192.168.1.6:443 - SAFE
2014/04/08 10:51:31 192.168.1.8:443 - SAFE
2014/04/08 10:51:34 192.168.1.9:443 - SAFE
2014/04/08 10:51:58 192.168.1.41:443 - VULNERABLE

Above you will see I found a machine on my network which was vulnerable. The openssl update was applied however nginx had not been restarted.

After you have patched your machines please make sure you either restart known services using openssl or just reboot to make sure.

Run the tool again to see if the machine is now SAFE:

./Heartbleed 192.168.1.41:443

2014/04/08 11:00:34 192.168.1.41:443 - SAFE

 

High-level overview of how the attack works:

OpenSSL Heartbeat (Heartbleed) Vulnerability (CVE-2014-0160) and its High-Level Mechanics from Elastica Inc on Vimeo.