Attempts to fix the infamous Heartbleed bug requires more than just patching the OpenSSL vulnerability. As login credentials are usually assumed to be compromised after a security incident, keys and certificates are also no exception.
To successfully fix the Heartbleed bug, these are some steps to consider:
- Patch the OpenSSL vulnerability
- Generate fresh keys
- Purchase / generate / issue / install new certificates
- Revoke old certificates
Many organisations do not understand the impact of the Heartbleed bug. Below is a simple POC I tried showing the extraction of login credentials remotely from a vulnerable server:
Fig 1: Login with valid credentials
Fig 2: Dump the memory contents using publicly available exploit code.
There are many exploit codes available online. The exploit code which I used for my test was from https://gist.github.com/eelsivart/10174134 which I personally find to be nicely scripted.