OpenSSL “Heartbleed” – Whose Vulnerable and How to Check
** Updated 4/9/14 9pm **
The internet is plastered with news about the OpenSSL heartbeat “Heartbleed” (CVE-2014-0160) vulnerability that some say effects up to 2/3 of the internet. Everything from servers to routers to smart phones could be tricked to give up encrypted data in plain text. Let’s take a quick look at the vulnerability, see who’s affected by it and how you can check.
What is Heartbleed?
Basically, OpenSSL is an encryption library used in HTTPS communication – You know the online stores and banking websites that give you that little lock icon in your browser bar when you visit them.
OpenSSL uses a “heartbeat” message to echo back data to verify what was received was correct. In OpenSSL 1.0.1 to 1.0.1f, a hacker can trick OpenSSL by sending a single byte of information but telling the server that it sent 64K bytes of data.
And the server will respond with 64K bytes of information – from it’s memory!
The Register has a nice image of the process:
The data returned is randomly pulled from the server’s memory and can include anything from Usernames, account passwords or sensitive data.
The vulnerability is remedied in the latest update of OpenSSL, but the problem is it could take years for all the affected devices to be found and patched. And some embedded and proprietary devices may never be patched!
There are a plethora of tools and exploits flooding the internet right now to check for and exploit Heartbleed.
Who is Vulnerable?
Yesterday the top 10,000 websites on the web were scanned for the vulnerability and the results can be found here. Many big named websites (as of yesterday) are vulnerable. But many listed, including Yahoo! have already fixed the vulnerability.
But if you read down the list you will see familiar websites including technology sites, financial institutions, game websites and popular forum/ social media sites.
But it just not limited to these sites.
Many home routers and even smart devices use OpenSSL.
How to Exploit/ Check?
I received a note today from Tenable (see Blog Post Here) that Nessus will now detect the Heartbeat vulnerability:
“Tenable Network Security® released plugins for the detection of the OpenSSL heartbeat vulnerability (aka the “Heartbleed Vulnerability”) on the 8th of April for Nessus® and the Passive Vulnerability Scanner™ (PVS™). A plugin for detecting the vulnerability in Apache web server logs has also been added to the Log Correlation Engine™ (LCE™) and available for reporting in SecurityCenter™ and SecurityCenter Continuous View™.”
And a quick Google search will return multiple different ways to check to see if websites are vulnerable to the attack. I have even seen a Firefox add in floating around:
There are a couple exploit programs available on the web. Rapid7 has created an exploit module for Metasploit and it is available on Github:
I didn’t see it available in the latest msfupdate, but I am sure it will be added to Metasploit Framework very soon.
As always, use any Heartbleed tools at your own risk, use extreme caution when using random programs to check for vulnerabilities, and never use these tools to check websites that you do not own or have permission to test or to access.
Update any of your systems that are using the old version of OpenSSL, and change your passwords on any effected servers.