The ‘Heartbleed’ security flaw that affects most of the Internet.
Bruce Schneier “Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.
Do not login to Yahoo! The OpenSSL bug #heartbleed allows extraction of usernames and plain passwords!
Recommended to update your passwords if you have an account!
“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. These sites are typically indicated by a lock icon in the browser to let site visitors know the information they’re sending online is hidden from prying eyes. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
Vulnerable OpenSSL
The heartbleed bug was introduced in OpenSSL 1.0.1 and is present in
- 1.0.1
- 1.0.1a
- 1.0.1b
- 1.0.1c
- 1.0.1d
- 1.0.1e
- 1.0.1f
The bug is not present in 1.0.1g, nor is it present in the 1.0.0 branch nor the 0.9.8
Test HeartBleed
Test Site: http://filippo.io/Heartbleed/
floozycity.com IS VULNERABLE.
Here is some data we pulled from the server memory:
(we put YELLOW SUBMARINE there, and it should not have come back)
([]uint8) {
00000000 02 00 79 68 65 61 72 74 62 6c 65 65 64 2e 66 69 |..yheartbleed.fi|
00000010 6c 69 70 70 6f 2e 69 6f 59 45 4c 4c 4f 57 20 53 |lippo.ioYELLOW S|
00000020 55 42 4d 41 52 49 4e 45 71 3e 37 a0 ac 0c 76 58 |UBMARINEq>7…vX|
00000030 9e 30 08 d1 d0 fa 9f 75 e5 c8 bf c3 8a d1 0f b6 |.0…..u……..|
00000040 e8 77 fa 66 ad a2 6d 14 6f 87 c9 54 5f 39 09 8e |.w.f..m.o..T_9..|
00000050 f2 b4 69 74 fb 1c 10 fb 30 23 92 aa e1 85 83 9c |..it….0#……|
00000060 1b 20 ea 53 0b dd 9c a4 e8 04 13 d2 d1 64 39 06 |. .S………d9.|
00000070 6a d6 1e 05 69 d4 4e 85 7d f3 cd 18 6b e3 c2 70 |j…i.N.}…k..p|
00000080 70 ce dd 87 ff 2e 23 0e d0 90 75 4d |p…..#…uM|
}
Request & Response Captured Using ZAP
Wireshark
ChromeBleed
Chrome extension: once installed it will notify the user if they have browsed to a HeartBleed vulnerable site.
https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic
NMAP
Download the ssl-heartbleed.nse file and place it within the NMAP directory Scripts.
Download the tls.luafile and place it within the NMAP directory nselib.
Download from : http://hackertarget.com/testing-heartbleed-with-the-nmap-nse-script/
nmap -sV -p 443 –script=ssl-heartbleed.nse floozycity.com
VULNERABLE:
— | The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
— | State: VULNERABLE
— | Risk factor: High
— | Description:
— | OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
— |
— | References:
— | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
— | http://www.openssl.org/news/secadv_20140407.txt
— |_ http://cvedetails.com/cve/2014-0160/
How to Fix HeartBleed
1. Upgrade OpenSSL
2. Revoke ALL SSL certificates
3. Regen all SSL priv keys
4. Get new certs from SSL vendor
Report Links
Diagnosis of the OpenSSL Heartbleed Bug
C’est bizarre je pensais rédiger un petit
post semblable au votre
Vous pensiez ou que vous avez fait?