Heartbleed is a serious vulnerability in OpenSSL that was disclosed on Tuesday, April 8th, and impacted any sites or services using OpenSSL 1.01 – 1.01.f and 1.0.2-beta1. Due to the nature of the bug, the only obvious way to test a server for the bug was an invasive attempt to retrieve memory–and this could lead to the compromise of sensitive data and/or potentially crash the service.
I developed a new test case that neither accesses sensitive data nor impacts service performance, and am posting the details here to help organizations conduct safe testing for Heartbleed vulnerabilities. While there is a higher chance of a false positive, this test should be safe to use against critical services.
The test works by observing a specification implementation error in vulnerable versions of OpenSSL: they respond to larger than allowed HeartbeatMessages.
Details:
OpenSSL was patched by commit 731f431. This patch addressed 2 implementation issues with the Heartbeat extension:
- HeartbeatRequest message specifying an erroneous payload length
- Total HeartbeatMessage length exceeding 2^14 (16,384 bytes)
Newer versions of OpenSSL silently discard messages which fall into the above categories. It is possible to detect older versions of OpenSSL by constructing a HeartbeatMessage and not sending padding bytes. This results in the below evaluating true:
/* Read type and payload length first */ if (1 + 2 + 16 > s->s3->rrec.length) return 0; /* silently discard */
Vulnerable versions of OpenSSL will respond to the request. However no server memory will be read because the client sent payload_length bytes.
False positives may occur when all the following conditions are met (but it is unlikely):
- The service uses a library other than OpenSSL
- The library supports the Heartbeat extension
- The service has Heartbeat enabled
- The library performs a fixed length padding check similar to OpenSSL
False negatives may occur when all the following conditions are met, and can be minimized by repeating the test:
- The service uses a vulnerable version of OpenSSL
- The Heartbeat request isn’t received by the testing client
I have modified the Metasploit openssl_heartbleed module to support the ‘check’ option.
You can download the updated module at
https://github.com/dchan/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
We hope you can use this to test your servers and make sure any vulnerable ones get fixed!
David Chan
Mozilla Security Engineer
Rick Flores wrote on
David Chan wrote on
Frank wrote on
David Chan wrote on
Olivier Mengué wrote on
Jose wrote on
Amit wrote on