A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
Check if server is vulnerable against heartbleet SSL attack (CVE-2014-0160) Usage: check-ssl-heartbleed.pl [ --starttls proto[:arg] ] [ --timeout T ] host:port --starttls proto[:arg] - start plain and upgrade to SSL with starttls protocol (imap,smtp,http,pop) -T|--timeout T - use timeout (default 5) -H|--heartbeats N - number of heartbeats (default 1) -s|--show-data [L] - show heartbeat response if vulnerable, optional parameter L specifies number of bytes per line (16) -R|--show-regex-data R - show data matching perl regex R. Option can be used multiple times -q|--quiet - don't show anything, exit 1 if vulnerable -h|--help - this screen Examples: # check direct www, imaps .. server check-ssl-heartbleed.pl www.google.com:443 check-ssl-heartbleed.pl www.google.com:https check-ssl-heartbleed.pl mail.google.com:imaps # try to get Cookies check-ssl-heartbleed.pl -R 'Cookie:.*' www.broken-site.com:443 # check webserver via proxy check-ssl-heartbleed.pl --starttls http:www.google.com:443 proxy:8000 # check imap server, start with plain and upgrade check-ssl-heartbleed.pl --starttls imap imap.gmx.net:143 # check pop server, start with plain and upgrade check-ssl-heartbleed.pl --starttls pop pop.gmx.net:110 # check smtp server, start with plain and upgrade check-ssl-heartbleed.pl --starttls smtp smtp.gmail.com:587
怎樣的站台會是重點目標呢?含有會員機制的網站特別如此,例如 Web Mail、社群網站等等。因此不少企業要多注意了,例如全世界最大的社群網站 Facebook、SlideShare、台灣知名電信公司網站、社交平台、網路銀行、NAS,都會在這波的攻擊範圍之內。如果沒有儘速修復,等到更有效的攻擊程式出現,就真的等著失血了。
小結
就連 OpenSSL 這種歷史悠久而且重要的函式庫,都可能犯這種基本的 C 語言程式設計錯誤,老舊的程式碼一定有不少陳年遺毒,如果沒有徹底清查,類似的心臟噴血事件會不斷上演。大家快點止血吧!
擁有Nessus軟體授權之機關可選用Plugin ID:73412進行檢測,可檢測OS如:CentOS、Debian、Fressbsd、Oracle Linux、RedHat、Amazon Linux AMI and other platforms including Gentoo,Scientific Linux, Slackware[4]。
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
廠商的設備目前狀況特別嚴重,因為所有同個版本的設備都會受影響,而在廠商釋出更新之前,只能被動的等待更新。若沒有繼續簽訂維護約的設備,也只能繼續跟廠商簽約更新,或者是看廠商是否可以直接提供更新檔。如果有 VPN Server 等服務更要注意,如果被攻擊者取得帳號密碼,等於如入無人之境,直接使用你的帳號登入到企業內網,不可不慎。
各家系統更新的速度?
引述自好朋友 Ant 的 文章,各家作業系統、網站的更新速度,代表著企業重視資安的程度以及針對資安事件緊急應變的效率,也可以作為我們挑選系統、網站、廠商的依據。
Installed Packages Name : openssl Arch : x86_64 Version : 1.0.1e Release : 16.el6_5.4 Size : 4.0 M Repo : installed From repo : ami-updates Summary : A general purpose cryptography library with TLS implementation URL : http://www.openssl.org/ License : OpenSSL Description : The OpenSSL toolkit provides support for secure communications : between machines. OpenSSL includes a certificate management tool : and shared libraries which provide various cryptographic : algorithms and protocols.</code> Available Packages Name : openssl Arch : i686 Version : 1.0.1e Release : 16.el6_5.7 Size : 1.5 M Repo : updates Summary : A general purpose cryptography library with TLS implementation URL : http://www.openssl.org/ License : OpenSSL Description : The OpenSSL toolkit provides support for secure communications : between machines. OpenSSL includes a certificate management tool : and shared libraries which provide various cryptographic : algorithms and protocols. Name : openssl Arch : x86_64 Version : 1.0.1e Release : 16.el6_5.7 Size : 1.5 M Repo : updates Summary : A general purpose cryptography library with TLS implementation URL : http://www.openssl.org/ License : OpenSSL Description : The OpenSSL toolkit provides support for secure communications : between machines. OpenSSL includes a certificate management tool : and shared libraries which provide various cryptographic : algorithms and protocols.