Stopping the Heartbleed

Attempts to fix the infamous Heartbleed bug requires more than just patching the OpenSSL vulnerability. As login credentials are usually assumed to be compromised after a security incident, keys and certificates are also no exception.

To successfully fix the Heartbleed bug, these are some steps to consider:

  • Patch the OpenSSL vulnerability
  • Generate fresh keys
  • Purchase / generate / issue / install new certificates
  • Revoke old certificates

Many organisations do not understand the impact of the Heartbleed bug. Below is a simple POC I tried showing the extraction of login credentials remotely from a vulnerable server:


Fig 1: Login with valid credentials


Fig 2: Dump the memory contents using publicly available exploit code.

There are many exploit codes available online. The exploit code which I used for my test was from which I personally find to be nicely scripted.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s