Wednesday, April 9, 2014

Scanning internal resources for Heartbleed:

Often I get tapped to look at or figure out things not directly related to the mobility space.  Today was one of those days, as we had a number of customer inquiring about Heartbleed, or CVE-2014-0160.  I won't go into a lot of detail about the mechanics of the vulnerability, but I have been pretty concerned with how do I know if my <insert linux based appliance i don't control> is vulnerable.

For public facing sites, there are a number of scanners, the one I use is over at http://filippo.io/Heartbleed/  I tested a number of the cloud sites I use and found that one of my cloud wifi sites is/was affected.  But then the question came around of how to I determine if my internal resources were affected.



I discovered a great resource over at http://rollingwebsphere.blogspot.com/2014/04/scanning-for-heartbleed-with-nmap.html  where they talk about using an NMAP script to identify vulnerable sites.

As a security hobbiest, I fired up and patched my Kali Linux box (sorry Zero_Chaos, I still like it better than Pentoo), installed the ssl-heartbleed script and executed it against that well known vulnerable site.   


Here's the step-by-step that I used to scan my company network for CVE-2014-0160:

sudo apt-get update
sudo apt-get upgrade
cd /usr/share/nmap/scripts/
cd /usr/share/nmap/nselib

nmap --script-updatedb
cd ~


Then you can use the following to scan port 443:
nmap --script "ssl-heartbleed" -p 443 X.X.X.X > heartbleed-results.txt

Or to scan a network on port 443:
nmap --script "ssl-heartbleed" -p 443 X.X.X.X/yy > heartbleed-results.txt

If you go through the created file heartbleed-results.txt, you see the following:
Nmap scan report for 10.10.10.168
Host is up (0.016s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-heartbleed:
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.