The password-leaking OpenSSL bug dubbed Heartbleed is so bad, switching off the internet for a while sounds like a good plan. A tiny flaw in the widely used encryption library allows anyone to trivially and secretly dip into vulnerable systems, from your banks HTTPS server to your private VPN, to steal passwords, login cookies, private crypto-keys and much more. How, in 2014, is this possible? A simple script for the exploit engine Metasploit can, in a matter of seconds, extract sensitive in-memory data from systems that rely on OpenSSL 1.0.1 to 1.0.1f for TLS encryption. The bug affects about 500,000, or 17.5 per cent, of trusted HTTPS websites, were told, as well as client software, email servers, chat services, and anything else using the aforementioned versions of OpenSSL. A good number of popular web services have now been patched following disclosure of the vulnerability on Monday; you can use this tool (filippo.io/Heartbleed/) to check (use at your own risk, of course), but dont forget to do more than patch your OpenSSL installation if youre affected – change your keys, dump your session cookies and evaluate your at-risk data. Just 4byte can ruin your world 3:) So upgrade OpenSSL soon as possible. Here you will get an msf-module to check (it does more than a typical check if u exactly know what msf capable to do :p ) https://github/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
Posted on: Sat, 12 Apr 2014 06:36:13 +0000
Trending Topics
Recently Viewed Topics
© 2015