heartbleeder automatically detecting OpenSSL heartbleed with repair guide-vulnerability warning-the black bar safety net

2014-04-09T00:00:00
ID MYHACK58:62201444313
Type myhack58
Reporter 佚名
Modified 2014-04-09T00:00:00

Description

heartbleeder can detect your server whether the presence of the OpenSSL CVE-2 0 1 4-0 1 6 0 vulnerability, the heartbleed vulnerability is.

What is the heartbleed vulnerability?

CVE-2 0 1 4-0 1 6 0, the heartbleed vulnerability is a very serious OpenSSL vulnerability. This vulnerability so that attackers can be from the presence of the vulnerability on the server to read the 64KB size of the memory information. These information might contain very sensitive information, including user request, a password, or even certificate the private key.

Allegedly, there have been an attacker at some treasure on the attempt to use the vulnerability to read data in the Read 2 0 0 times, and obtain a 4 0 multiple usernames and 7 passwords.

How to use heartbleeder detect bleeding heart vulnerability?

Install

In gobuild. io download the compiled binary files to the compressed package. Including Windows, Linux, MacOSX and.

Because the serveroperating systemthe most commonly used is Linux, so here provide download a Linux binary tarball command:

Linux(amd64)

wget http://gobuild.io/github.com/titanous/heartbleeder/master/linux/amd64 -O output.zip

Linux(i386)

wget http://gobuild.io/github.com/titanous/heartbleeder/master/linux/386 -O output.zip

Download after decompression can be.

You can compile and install the Go version you in 1. 2 above, use the following command:

go get github.com/titanous/heartbleeder

The binary file will be placed in $GOPATH/bin/heartbleeder it.

Use

$ heartbleeder example.com INSECURE - example. com:4 4 3 has the heartbeat extension enabled and is vulnerable

Postgres default in 5 4 3 2 port using OpenSSL, if you use the Postgres server, you need to use the following command:

$ heartbleeder-pg example.com SECURE - example:5 4 3 2 does not have the heartbeat extension enabled

How to manually detect bleeding heart vulnerability

If it is inconvenient to install heartbleeder, or do not trust the automatic detection results, it can also be manually detected.

First determine the server's Openssl version is vulnerable versions. There are currently vulnerability version: 1.0.1-1.0.1 f contain 1. 0. 1 f and 1.0.2-beta. You can use the following command to see the server on the current version:

openssl version

Next you need to determine whether to open the heartbeat extension:

openssl s_client-connect your website:4 4 3-tlsextdebug 2>&1| grep 'TLS server extension "heartbeat" (id=1 5), len=1'

If the above two conditions you are satisfied, then, unfortunately, your server is affected by this vulnerability and need to fix ASAP.

How to fix

  1. The affected Server offline, to avoid it continuing to leak sensitive information.
  2. Stop the old version of the openssl service, upgrade openssl to the new version, and restart.
  3. Generate a new key. Because the attacker may by the vulnerability to obtain the private key.) The new key is submitted to your CA, obtain a new certification after the install on the server the new key.
  4. Server on-line.
  5. Revoke the old certificate.
  6. The revocation of the existing session cookies.
  7. Require the user to change the password.

[1] [2] next