Stopping the Heartbleed

Attempts to fix the infamous Heartbleed bug requires more than just patching the OpenSSL vulnerability. As login credentials are usually assumed to be compromised after a security incident, keys and certificates are also no exception.

To successfully fix the Heartbleed bug, these are some steps to consider:

  • Patch the OpenSSL vulnerability
  • Generate fresh keys
  • Purchase / generate / issue / install new certificates
  • Revoke old certificates

Many organisations do not understand the impact of the Heartbleed bug. Below is a simple POC I tried showing the extraction of login credentials remotely from a vulnerable server:

heartbleed_poc_2

Fig 1: Login with valid credentials

heartbleed_poc

Fig 2: Dump the memory contents using publicly available exploit code.

There are many exploit codes available online. The exploit code which I used for my test was from https://gist.github.com/eelsivart/10174134 which I personally find to be nicely scripted.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s