Everywhere is buzzing with news of the Heartbleed vulnerability in OpenSSL. If you are living under a rock and have missed it just turn on the mainstream news. Not that you will get much detail there... this is a quick tutorial to show you how to test for the vulnerability using a handy Nmap NSE script ssl-heartbleed.nse).
First you will need a working version of Nmap (at least version 6.25), this is not difficult to find or install. So lets jump ahead to running an NSE Script to detect the Heartbleed vulnerability.
ssl-heartbleed.nse script included, no need to download it separately.Download the NSE (ssl-heartbleed.nse) script and the tls.lua library that is required:
Now place the tls.lua in the nselib directory on the system you are running Nmap on. Note: I have not tested this on Windows, only Ubuntu Linux, however it should just be a matter of dropping it in the nselib folder (C:\program files\nmap\nselib).
Running the actual ssl-heartbleed.nse script is simply a matter of referencing it as a parameter to the Nmap command.
nmap -sV -p 443 --script=ssl-heartbleed.nse 192.168.1.1
It really is as simple as that, point to the nse script with the --script= and you are cooking! Even better as this is using Nmap, we can scan entire ranges of IP addresses for the vulnerability.
Testing for the vulnerability
Here is an example of a test against one of my local systems that was running a vulnerable version of OpenVPN-AS.
Nmap scan report for mediacentre (192.168.1.5) Host is up (0.0059s latency). Not shown: 992 closed ports PORT STATE SERVICE VERSION 443/tcp open ssl OpenSSL (SSLv3) | ssl-heartbleed: | VULNERABLE: | The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption. | State: VULNERABLE | Risk factor: High | Description: | OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves. | | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 | http://www.openssl.org/news/secadv_20140407.txt |_ http://cvedetails.com/cve/2014-0160/ Service Info: Host: firefly003; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Not good! looks to be well and truly vulnerable.
Upgrade OpenVPN
OpenVPN had advised that upgrades are required. It was a matter of a quick dpkg -i to upgrade the OpenVPN-AS server on my home network.
Lets try again with another test.
Nmap scan report for mediacentre (192.168.1.5) Host is up (0.0011s latency). PORT STATE SERVICE VERSION 443/tcp open ssl OpenSSL (SSLv3) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.24 seconds
Looks good to me, upgrade successful.
Additional testing can be undertaken with our OpenVAS scan.
Includes a signature for detecting the Heartbleed bug.
Check SSL/TLS services for vulnerabilities and weak ciphers.
Trusted tools. Hosted for easy access.