OpenSSL Heartbleed Vulnerability
Hello Every One,
Recently Web Researcher has uncovered an extremely critical vulnerability in recent versions of OpenSSL in short this vulnerability allows anyone on the Internet to read the memory of the systems protected by the OpenSSL software.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).CVE-2014-0160 is the official reference to this bug.
What versions of the OpenSSL are affected?
Status of different versions:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
How do I Test this Vulnerability ?First Check the Heratbleed Extension is present or Not ?
openssl s_client -connect domainname.com:443 -tlsextdebug 2>&1| grep 'server extension "heartbeat" (id=15)'
Above command only tell that HearBeat Extension is present or not it doesn’t tell you it’s vulnerable for testing use below file.
You can just download the python file mentioned in below link and check whether your site is vulnerable to Heartbleed Vulnerability.
If it’s vulnerable it will show the message saying “server returned more data than it should” along with data which was returned by the vulnerable server. Analyse the data which was send by the server it could contain the Critical data like Username & Password.
You can also test this by using metasploit as they have integrated this SSL HeartBleed Module in there auxiliary make sure you update your metasploit using msfupdate command.
Go to Msfconsole
- use auxiliary/scanner/ssl/openssl_heartbleed
- SET RHOT X.X.X.X
- SET RPORT 443
- SET VERBOSE true
OpenSSL HearBleed Scanner is also available now
what can I do to protect myself?
Since the vulnerability has been in OpenSSL for about two years and using it leaves no trace, assume that your accounts may be compromised. You should change your online passwords, especially for services where privacy and security are major concerns. However, many sites likely haven’t upgraded to software without the bug, so immediately changing them still might not help.
The researchers who discovered the flaw let the developers behind OpenSSL know several days before announcing the vulnerability, so it was fixed before word got out yesterday. Most major service providers should already be updating their sites, so the bug will be less prevalent over coming weeks.
How to Fix this Issue ?
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
Thank You for reading this article.
Happy Bounty Hunting