0

Can an external tool accurately determine the current vulnerability of a site to Heartbleed? If so, how? What has to be tested/tested for? What features are required?

vvvvvvvvvv UPDATE 1

What features are required to determine if a vulnerable site was remediated?
How does one determine that it is time to update the password? If we use a tool like those mentioned below, what should the tool be checking? This might include: Is OpenSSL being used? Is version of OpenSSL vulnerable? If vulnerable version, is heartbeat allowed? Were keys updated?

I am assuming that the passwords will be updated. The larger question of determining whether a password "really" needs to be updated is too difficult across a large number of sites. I'll settle for just knowing when I can go ahead and update them. There are several available tools, but I'm not sure they are complete/accurate.

^^^^^^^^^^

While we would all like to know for each site during what period, if any, it was directly vulnerable to Heartbleed, that is a rather difficult problem. Even more desirable and difficult: was site breached and what was lost.

For the much more limited purposes of knowing whether it is safe/time to update a site password(s), we need to determine whether a site is currently vulnerable to Heartblood or not. The "not" may be because of remediation or because the site inherently cannot be exploited (different software) but for the purposes of this question, assume that all site passwords are going to be changed but only if/when the respective site is not currently vulnerable.

Anti-weakpasswords provided the most complete list of Heartbleed vulnerability checkers for sites (see below) that I've seen in response to: HeartBleed - How to detect compromised websites LastPass also has a site vulnerability checker: https://lastpass.com/heartbleed/ ChromeBleed is a chrome extension to identify vulnerable sites: https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic

Right now, though, there are several Heartbleed vulnerability detectors/checkers that I'll list for the community.

Qualys SSL Labs is more or less the canonical free SSL test site; they added an experimental Heartbleed test hours ago (and set the security grade to F for every site that's found to be vulnerable.

titanous on github appears to still be under active development, and titanous also released Go programming code for Heartbleed detection, had better messages than Filippo as of this morning, and was last updated 32 minutes ago. It appears to be under the Go license, though I didn't do a full comparison; similar to a BSD 3 clause license.

Filippo.io was one of the first Web sites, and they released their code on github with an MIT license (Go programming language), and was last updated 4 hours ago.

musalbas on github released the Python program "ssltest.py" about 10 hours ago that can do mass/bulk tests in only 178 lines (including a few comments), no license listed. Musalbas also released lists of the results of scanning the top 100, 1000, 10000, and 1 million Internet sites as of about 7 hours ago. This is a variant of Stafford's code.

possible.lv is another web site that does Heartbleed vulnerability scans.

Codenomicon Defensics appears to do detect Heartbleed as well.

@Lekensteyn released the pacemaker python client checker, modified a few hours ago, as well as the original Stafford version of ssltest.py. No specific license is listed.

Metasploit is also gaining Heartbleed tests very rapidly, including both the server check linked here and a client check from @HDMoore and @Lekensteyn.

BillR
  • 219
  • 1
  • 8
  • @AviD - This is not a duplicate. I'm asking when/how does one know when it is safe/time to update a site password AND assuming we will. The referenced question is related but different: how does one determine whether the site was in fact compromised. – BillR Apr 10 '14 at 15:50
  • @Avid - I posted an update just(?) prior to your action. Perhaps they crossed. Does it and the above comment address your concern? – BillR Apr 10 '14 at 15:58

1 Answers1

0

Can an external tool accurately determine the current vulnerability of a site to Heartbleed? If so, how? What has to be tested/tested for? What features are required?

For a server to be "eligible" to the Heartbleed attack, the following two conditions must be met:

  • A vulnerable OpenSSL library version is used (from 1.0.1 up to 1.0.1f). Some vendors do patch intermediate versions though which would fix the bug.
  • The Heartbeat TLS extension must be advertised. If this extension is disabled, then you are not affected.

A possible attack will then:

  • Send a Heartbeat request with a large payload length, without actually supplying the payload.
  • A broken client or server will then reply with a large payload instead of staying silent.

Exploitation is always possible if the conditions are met, unless there is some IDS in between that block the malicious heartbeat.

Lekensteyn
  • 5,898
  • 5
  • 37
  • 62
  • To know whether to bother updating passwords, wouldn't we also need to know whether a previously vulnerable site updated its certificates? Other actions? – BillR Apr 10 '14 at 14:26
  • 1
    @BillR http://security.stackexchange.com/questions/55083/what-should-end-users-do-about-heartbleed – Iszi Apr 10 '14 at 17:17