Heartbleed bug quick info

heartbleed_bug-tools-and-references.md

Heartbleed bug tools and references

Quick reference and testing tools for the Heartbleed bug

Top 100 Alexa vulnerability tests results

Test services with:

• http://filippo.io/Heartbleed/ Go CLI & web or in a docker container
• https://github.com/titanous/heartbleeder -- postgres support
• http://possible.lv/tools/hb/
• Chromebleed is a chrome extension to warn you about vulnerable sites
• Testing with openssl client
• Metasploit has added a openssl heartbeat client memory test
• Reverse heartbleed test

Test your browser:

• https://www.ssllabs.com/ssltest/viewMyClient.html
• Pacemaker python server for testing clients for vulnerability

More SSL tests with https://www.ssllabs.com/ssltest/

---

What to do

Linux

• See the advisories for your distro

OS X

• Should not be affected for Apple's since they switched in 2012
• Brew openssl should be upgraded. 1 liner from @gregkare's tweet
  • brew update && brew upgrade openssl && brew uses openssl --installed | xargs brew reinstall

Windows

• See advisories. Check 3rd party software

Critical Apps:

• Web, email (IMAP, POP, SMTP) services
• Databases
• VPN software such as openvpn

I recommend enabling perfect forward secrecy on all services SSL/TLS services.

---

Reading material

Advisories:

• OpenSSL Security Advisory
• http://www.circl.lu/pub/tr-21/
• https://www.cert.fi/en/reports/2014/vulnerability788210.html
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
• Tor's advisory includes a bunch of other info

Articles:

• http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
• http://blog.agilebits.com/2014/04/08/imagine-no-ssl-encryption-its-scary-if-you-try/
• https://www.schneier.com/blog/archives/2014/04/heartbleed.html
• http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html
• http://thehackernews.com/2014/04/how-heartbleed-bug-exposes-your.html#
• http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html
• http://www.npr.org/templates/story/story.php?storyId=300813985
• http://vrt-blog.snort.org/2014/04/heartbleed-memory-disclosure-upgrade.html
• http://blog.meldium.com/home/2014/4/10/testing-for-reverse-heartbleed

Discussions:

• OpenBSD take -- http://article.gmane.org/gmane.os.openbsd.misc/211963
• http://seclists.org/fulldisclosure/2014/Apr/90
• https://news.ycombinator.com/item?id=7553745
• http://www.reddit.com/r/Heartbleed/

Info on possible exploits:

• https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013

Misc:

• Heartbeat disabled in 4.1.2
• RFC6520 -- Datagram Transport Layer Security (DTLS) Heartbeat Extension

---

Other semi-related info

On March 3, 2014 a GnuTLS x.509 bug was found:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092
• List anouncement
• RedHat security update/advisory

25 years of vulnerabilities form 1988 to 2012