Categories
Welcome Center
Education & Development
Cyber Security
Virtualization
General
Certification Preparation
Project Management
Posts
Groups
Training Resources
Infosec
IT & Security Bootcamps
Practice Exams
Security Awareness Training
About Us
Home
General
Off-Topic
CVE-2014-0160 ( HeartBleed bug)
chaser7783
There was a new vulnerability posted recently pertaining to OpenSSL. The attack will allow a remote attacker to read up to 64kBytes of system memory from your system per attack attempt. The attack works against servers as well as against clients. Sadly yahoo.com and even Eff.org are vulnerable.
Here is a site to test if a web server is vulnerable:
Test your server for Heartbleed (CVE-2014-0160)
Sample list of vulnerable sites:
Heartbleed Exposure Alexa Top 1000 - Pastebin.com
Information on vulnerability:
Heartbleed Bug
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
Fix:
https://www.openssl.org/news/secadv_20140407.txt
Find more posts tagged with
Comments
YFZblu
Nice post - I have yet to read the technical deets on this, I'll have to check it out later today.
chaser7783
Seems Yahoo account credentials are already hitting pastebin as a result from this vuln.
docrice
The SSL Labs server test can also check for this:
https://www.ssllabs.com/ssltest/index.html
5ekurity
Apparently an NMAP script has been built to identify the vulnerability. Has anyone tried it out yet?
chaser7783
I run a python script to see if it returns any data on a ssl hello request. Also so far have successful IDS signatures alert on this and have verified the alert by looking at the payloads and seeing if the tls layer hellos client/server is present and sending data.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
