The OpenSSL Heartbeart bug: Two-thirds of Internet Users at Risk

What is the Heartbleed Bug?

The Heartbleed bug is a vulnerability in the OpenSSL cryptographic library that allows stealing of information normally protected by the SSL/TLS encryption used to secure the Internet. OpenSSL is open-source software that is widely used to encrypt web communications. SSL/TLS is what normally provides secure and private communication over the Internet via websites, email, IM, and VPNs. According to CNET, an attacker can exploit Heartbleed to essentially “get copies of a server's digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.”
The versions of OpenSSL that are affected, version 1.0.1 and 1.02-beta release have been widely deployed for some time. The bug has been described as a program error, and a fix has been published for the 1.01 program in OpenSSL 1.01g. The bug was found in the heartbeat extension (RFC6520) of the Transport Layer Security/Datagram Transport Layer Security (TLS/DTLS) within the implementation on the affected OpenSSL versions. It is a straight, pure bug that unfortunately strikes at the ‘heart’ of web security, affecting that hearbeat extension, thus earning its name. According to security reports, research has produced some significant leaks.

In testing, attacks were able to be executed without leaving a trace. The tests were also able to steal X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication – all without any privileged information or any credentials.

Rapid7, makers of metasploit has updated metasploit with the exploit code. https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb


Testing

There are some very untested go and python open source scripts out there which you can use for a quick and dirty test for Heartbleed bug against the server you are auditing - https://github.com/titanous/heartbleeder/ and http://s3.jspenguin.org/ssltest.py respectively. You can also check for vulnerable sites at  http://filippo.io/Heartbleed/
 

Fix

Before you start thinking that the world is about to end due to this bleeding of hearts…there is hope i.e. fixed OpenSSL version 1.0.1g has been released.


Comments

Popular posts from this blog

Pentesting Android applications

Global Cyberlympics Finals 2015 Write-up - Tracker.7z

Red Teaming with Covenant and Donut