Heartbleeder Automatic detection of OpenSSL heart Bleed Vulnerability (with repair guide)

This is a creation in Article, where the information may have evolved or changed.

Heartbleeder can detect if your server has a OpenSSL cve-2014-0160 vulnerability (heart bleed hole).

What is a heart bleed leak?

cve-2014-0160, a bleeding hole in the heart, is a very serious OpenSSL vulnerability. This vulnerability could allow an attacker to read 64KB-sized memory information from a vulnerable server. This information may contain very sensitive information, including the user request, password, or even the private key of the certificate.

It is alleged that an attacker has attempted to use the vulnerability to read data on a treasure, after reading 200 times, obtained more than 40 user names and 7 passwords.

How do I use Heartbleeder to detect heart bleed leaks?

Installation

A compressed package of compiled binaries can be downloaded in Gobuild.io. Includes Windows, Linux, MacOSX.

Because Linux is most commonly used in server operating systems, here are the commands to download the Linux binary compression package:

Linux (AMD64)

wget http://gobuild.io/github.com/titanous/heartbleeder/master/linux/amd64 -O output.zip

Linux (i386)

wget http://gobuild.io/github.com/titanous/heartbleeder/master/linux/386 -O output.zip

After downloading, unzip it.

You can also compile your own installation (go version requires more than 1.2), using the following command:

go get github.com/titanous/heartbleeder

Binary files are placed in the $GOPATH/bin/heartbleeder .

Use

$ heartbleeder example.comINSECURE - example.com:443 has the heartbeat extension enabled and is vulnerable

Postgres uses OpenSSL by default on port 5432, and if you use a Postgres server, you need to use the following command:

$ heartbleeder -pg example.comSECURE - example:5432 does not have the heartbeat extension enabled

How to manually detect bleeding holes in your heart

If it is not convenient to install Heartbleeder, or do not trust the results of automatic detection, can also be manually detected.

First determine if the version of OpenSSL on the server is a vulnerable version. The currently vulnerable versions are: 1.0.1-1.0.1f (contains 1.0.1f) as well 1.0.2-beta . You can use the following command to view the current version on the server:

openssl version

Then you need to determine if the heartbeat extension is turned on:

openssl s_client -connect 你的网站:443 -tlsextdebug 2>&1| grep 'TLS server extension "heartbeat" (id=15), len=1'

If you are satisfied with the above two conditions, unfortunately, your server is affected by this vulnerability and needs to be repaired as soon as possible.

How to fix

1. Offline the affected server to prevent it from continuing to leak sensitive information.
2. Stop the old version of the OpenSSL service, upgrade OpenSSL to the new version, and reboot.
3. Generates the XINMI key. (because an attacker could obtain a private key through a vulnerability.) Submit the Xinmi key to your CA, and then install the XINMI key on the server after obtaining the new authentication.
4. The server is online.
5. Revoke the old certification.
6. Revoke the existing session cookies.
7. Requires the user to modify the password.

Compiling Segmentfault