/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsI am sure if you are even a day old in the IT industry, you must have heard about the OpenSSL HeartBleed vulnerability by now. Vulnerabilities are reported every day, but such severe vulnerabilities that could mass affect websites are rare.
And to top it all, now we have the HeartBleed exploit listed in metasploit, which basically means any one could run a HeartBleed attack by using a few simple steps.
How to Check if Your Website is Vulnerable
Running a HeartBleed attack is not all that difficult for hackers, because the exploit is easily downloadable from the Internet. For instance, hackers could download and use any security Linux distro like Kali Live Linux (download from http://www.kali.org/downloads/), Backtrack, etc. Kali seems to be gaining a lot of popularity amongst hackers and security experts these days. While it can run without installation, experts typically install it on their machines, as it ensures that when they upgrade/install components, they are preserved, and not lost when they reboot the system.
A HeartBleed hacker would first upgrade the metasploit repository on his/her system. Once done, hacker would download the HeartBleed exploit. A simple ‘ls' command can show whether the exploit is ready for action or not.
To check, start the metasploit console by running the following command:
#msfconsole
You should see a screen like this:
Now, on the msf> prompt, run the following commands:
msf > use auxiliary/scanner/ssl/openssl_heartbleed
msf > set VERBOSE true
This should load the openssl_heartbleed exploit plugin. Now set the Hostname and port to attack upon by running the following commands:
msf> set RHOSTS www.hostname.com
msf> set RPORT 443
And you are all set to run the "run the attack". And how do you run it? Well, by simply typing "run" and hitting enter. Here is an example of the output of a vulnerable website.
...And Now to Remove the Vulnerability
Here is a quick 3-step guide on how to fix your site if it possesses this vulnerability. How do you know if your website possesses the vulnerability or not? You do the above steps and see if the output throws back the private key of the site or not. If it shows a screen like below, then you are all clear.
But if you find the vulnerability, then you should:
1. Go ahead and upgrade your Opens version with the patched version of OpenSSL, and that would be "OpenSSL 1.0.1g". Also, there is a chance that your Linux Distribution has back ported the fix to an older stable release of the application. So please check with your distribution company to see if you can just run a package upgrade or you have to compile the latest version of SSL from code for your distribution.
2. Regenerate the SSL Private Key and certification verification request. This is necessary to make sure if anyone has already exploited your server's vulnerability during the zero day or before the information went public. S/he cannot at least compromise your secure data by using the previously captured private key.
3. Finally, get the key verified by an SSL Certification Authority of your choice and redeploy it to your webserver
There is a point 4 as well, but it's more philosophical than technical. If your server had the vulnerability and you just fixed it, and your server was storing user passwords, then please go ahead and ask all your users to immediately change their passwords. This is to ensure that if someone had already exploited this vulnerability on your server, then he is not able to use user credentials anymore.
May the encryption be with you!