Using N-Stalker free tool to detect Heartbleed

By N-Stalker Team on April 17, 2014

N-Stalker is proud to release a free tool to detect OpenSSL’s Heartbleed vulnerability. It can be used to detect heartbleed vulnerability via URL, host list (text file) or even IP range.

Problem has been uncovered by Neel Mehta at Google and  a team (Riku, Antti and Matti)  at Codenomicon, and the following versions of OpenSSL are affected:OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
  • CentOS 6.5, OpenSSL 1.0.1e-15
  • Fedora 18, OpenSSL 1.0.1e-4
  • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
  • FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)

Versions lower than 1.0.1 are not vulnerable (0.9.x) or compiled with -DOPENSSL_NO_HEARTBEATS.

Problem

According to RFC 6520:

The Heartbeat Extension provides a new protocol for TLS/DTLS allowing
   the usage of keep-alive functionality without performing a
   renegotiation and a basis for path MTU (PMTU) discovery for DTLS.

TLS Heartbeat work similar to an echo service, providing means to send a custom sized payload to the server and have it replied back using DTLS protocol. In that way, user must control both payload and size values. Problem lies in ssl/d1_both.c under function dtls1_process_heartbeat(), when user sends a small payload with a wrong size — specifically a large volume of up to 64k.

Consequences

Server will process the request and due to a software flaw, it will concatenate the small payload with its own memory’s content to fulfill the size provided as an user’s input, including unencrypted data from other requests and even its own cryptographic keys.

Fix

OpenSSL version 1.0.1g or newer should be used. If this is not possible software developers can recompile OpenSSL with the handshake removed from the code by compile time option -DOPENSSL_NO_HEARTBEATS.

Detection

Heartbleed can be detected using:

This entry was posted in Announcements, Community Blog, N-Stalker Latest Updates. Bookmark the permalink.