Heartbleed
Trying to get on top of the heartbleed problem, I installed the chrome extension “chromebleed“, but after surfing over to sites that I knew should screem alert, nothing happend. Tweeked the settings to show all notifications….
To be 100% sure, here is my test server with an “old” openssl library (it’s an mysql test server, with now installed apache to play with heartbleed). It’s a Debian server, running with openssl 1.0.1e.
They say a picture tells more then than 1000 words, so here go.
So basically do not trust the chrome extensions… If you want to test your sites, get your hands dirty with nmap and the heart-bleed script, if your not familiar with nmap and scrips, head over to Kali and download the live version, and then run the following commands to install the nmap heartbleed script.
apt-get updateapt-get upgradecd /usr/share/nmap/scripts/cd /usr/share/nmap/nselibnmap –script-updatedb
Then to test; (Replace X.X.X.X with your server ip)
nmap –script=”ssl-heartbleed” -p 443 X.X.X.X
if you see the following your kind of screwed, time to upgrade/revoke/warn your users….
Nmap scan report for 10.0.2.55
Host is up (0.00035s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
| State: VULNERABLE
| Risk factor: High
| Description:
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
| References:
| http://www.openssl.org/news/secadv_20140407.txt
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_ http://cvedetails.com/cve/2014-0160/
One Comment to