OpenSSL HeartBleed (CVE-2014-0160)

Was my OpenSSL affected by the OpenSSL HeartBleed Bug (CVE-2014-0160)?

http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
http://www.inmotionhosting.com/support/website/security/protect-data-fix-openssl-heartbleed-bug
https://www.nccgroup.com/en/blog/2014/04/heartbleed-openssl-vulnerability/


It really depends on your SSL termination setup.
If the SSL being terminated directly on your Apache server, then you should make sure your version being patch or not in the affected version.

Else if your SSL being terminated in Network Load Balancer like F5 LTM, you will need to check on the model you are using and the SSL mode being used.

You may find links above for steps on how to check.

How to test from remote?
Run below from client machine, if it returns “safe” means your version was not affected.
$ openssl s_client -connect www.coursera.org:443  -tlsextdebug 2>&1 | grep 'server extension "heartbeat" (id=15)' || echo safe

safe

Or you can download the script from below and run:
https://gist.github.com/takeshixx/10107280

[root@rhel6 test]# ./hb-test.py -p 443 www.hlb.com.my
Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 53
 ... received message: type = 22, ver = 0302, length = 3234
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
Unexpected EOF receiving record header - server closed connection
No heartbeat response received, server likely not vulnerable

More detailed info from Redhat can be fine here:

https://access.redhat.com/site/articles/786463



No comments: