OpenSSL Heartbleed vulnerability(CVE-2014-0160) allows hackers to leak 64k of memory
The bug( CVE-2014-0160), dubbed as 'HeartBleed', was independently discovered by Neel Mehta from Google Security team and Codenomicon. The bug appropriately named HeartBleed because vulnerability is located in HeartBeat extension of OpenSSL and it leads to memory leak.
What versions of the OpenSSL are affected?
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
Check whether Your server is vulnerable or not:"http://filippo.io/Heartbleed/" allows to find whether your server is vulnerable to this bug or not.
Details about the Bug:
TLS Heartbeat extension is to ping from one end to another end - a specific message with size of it is being sent from client to server and server responds with the same message.
But, if an attacker send a small size of data(Let's say 1 kilo byte) and claims it's large size(64k), then the server(running vulnerable OpenSSL) will respond with 1 kilo byte of attacker's data + 63 kilobytes of data read from memory of the server.
How to fix it?
If your server is using OpenSSL 1.0.1 and 1.0.1f, then better upgrade to 1.0.1g. If you are using 1.0.0 and 0.9.8, you are not vulnerable to this bug. As a temporary fix, users can remove HeartBeat extension by recompiling OpenSSL with -DOPENSSL_NO_HEARTBEATS
Technical details of this bug can be found:
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
http://heartbleed.com/
Here is POC script written in Python: https://gist.github.com/ixs/10116537
Metasploit Module :
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
Nessus Plugin:
http://www.tenable.com/plugins/index.php?view=single&id=73404
Nmap Script(NSE):
http://nmap.org/nsedoc/scripts/ssl-heartbleed.html
Read More
