Main Content

Heya - HollyGraceful here, I make all of this content in my spare time, like it? Please support me :)
You can donate via Bitcoin or Patreon!

Heartbleed

CVE-2014-0160

A vulnerability exists in outdated version of OpenSSL which allows an attacker to cause the server to disclose up to 64kb of server memory contents. This can cause secret keys, authentication tokens, usernames and passwords to be compromised. This can lead to an attacker being able to impersonate users and decrypt data transferred between a user and the server. It can allow an attacker to decrypt data that was sent to a user in the past, not only data that is currently being sent to the user (such as data that is captured during a man-in-the-middle attack).

The issue is with the heartbeat extension to TLS/DTLS and allows an attacker to steal memory contents from both web servers but it also allows malicious web servers to steal data from the memory of users! A site which has previously been vulnerable to this issue should revoke the digital certificate in use at the time and reissue a new one with new keys.

Remediation

Where possible update the version of OpenSSL used, as an alternative if updating is not possible there is the option to recompile the OpenSSL installation with the compile time option that removes the heartbeat functionality – DOPENSSL_NO_HEARTBEATS.

Affected

OpenSSL versions 1.0.1 to 1.0.1f (inclusive) are vulnerable

 

Exploit

https://github.com/sensepost/heartbleed-poc/blob/master/heartbleed-poc.py

https://gist.github.com/eelsivart/10174134

Further Reading

https://heartbleed.com/