Heartbleed

Trying to get on top of the heartbleed problem, I installed the chrome extension “chromebleed“, but after surfing over to sites that I knew should screem alert, nothing happend. Tweeked the settings to show all notifications….

To be 100% sure, here is my test server with an “old” openssl library  (it’s an mysql test server, with now installed apache to play with heartbleed). It’s a Debian server, running with openssl 1.0.1e.
They say a picture tells more then than 1000 words, so here go.

 

heartbleed

 

So basically do not trust the chrome extensions… If you want to test your sites, get your hands dirty with nmap and the heart-bleed script, if your not familiar with nmap and scrips, head over to Kali  and download the live version, and then run the following commands to install the nmap heartbleed script.

heartbleed

apt-get update
apt-get upgrade
cd /usr/share/nmap/scripts/
cd /usr/share/nmap/nselib
 nmap –script-updatedb

Then to test; (Replace X.X.X.X with your server ip)

nmap –script=”ssl-heartbleed” -p 443 X.X.X.X

 

if you see the following your kind of screwed, time to upgrade/revoke/warn your users….

Nmap scan report for 10.0.2.55
Host is up (0.00035s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
| State: VULNERABLE
| Risk factor: High
| Description:
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
| References:
| http://www.openssl.org/news/secadv_20140407.txt
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_ http://cvedetails.com/cve/2014-0160/

One Comment to

  • dev/n0ll » Blog Archive » My bash story – CVE-2014-627125/09/2014

    […] haven’t tested this yet, but this can be really bad. Maybe as bad has the heartbled. An another concern is, what about embed systems? Your Router, your NAS, your TV…… […]

  • Leave a Comments