Recently Web Researcher has uncovered an extremely critical vulnerability in recent versions of OpenSSL in short this vulnerability allows anyone on the Internet to read the memory of the systems protected by the OpenSSL software.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM), and some virtual private networks (VPNs).CVE-2014-0160 is the official reference to this bug.
What versions of the OpenSSL are affected?
Status of different versions:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
The bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on the 14th of March 2012. OpenSSL 1.0.1g released on the 7th of April 2014 fixes the bug.
How do I Test this Vulnerability?
First Check the Heratbleed Extension is present or Not?
The above command only tells whether Heratbleed Extension is present or not it doesn’t tell you it’s vulnerable for testing use below file. You can just download the python file mentioned in the below link and check whether your site is vulnerable to Heartbleed Vulnerability. If it’s vulnerable it will show the message saying “server returned more data than it should” along with data that was returned by the vulnerable server. Analyze the data which was sent by the server it could contain Critical data like Username & Password.
You can also test this by using Metasploit as they have integrated this SSL HeartBleed Module in their auxiliary make sure you update your Metasploit using msfupdate command.
Go to msfconsole
use auxiliary/scanner/ssl/openssl_heartbleed SET RHOT X.X.X.X SET RPORT 443 SET VERBOSE true run
OpenSSL HearBleed Scanner is also available now http://www.rapid7.com/resources/free-security-software-downloads/openssl-heartbleed-vulnerability-scanner.jsp
what can I do to protect myself? Since the vulnerability has been in OpenSSL for about two years and using it leaves no trace, assume that your accounts may be compromised. You should change your online passwords, especially for services where privacy and security are major concerns. However, many sites likely haven’t upgraded to the software without the bug, so immediately changing them still might not help.
The researchers who discovered the flaw let the developers behind OpenSSL know several days before announcing the vulnerability, so it was fixed before word got out yesterday. Most major service providers should already be updating their sites, so the bug will be less prevalent over the coming weeks.
How to Fix this Issue? Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately the upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
Thank You for reading this article. Happy Bounty Hunting !!