09 April 2014

Heartbeat/HeartBleed - Resources Only


I'm not going to rehash everything that's been said about how the vulnerability works, why anyone should patch or what else they need to do - at least not yet.

This post is just a list of resources so I can keep my sanity.

GENERAL


The OpenSSL advisory:
http://www.openssl.org/news/secadv_20140407.txt

An easy way to check for whether heartbeat extensions may be enabled:
openssl s_client -connect <server>:<port> -tlsextdebug | grep -i heartbeat

SANS Webcast covering the vulnerability (9 April 2014, 20.15 EDT):
https://www.sans.org/webcasts/openssl-heartbleed-vulnerability-98105

SANS Webcast "part two" (10 April 2014):
https://www.sans.org/webcasts/heartbleed-vulnerability-2-98130

SANS Webcast on *CLIENT* side exploitation:
https://www.sans.org/webcasts/side-heartbleed-clientside-heartbleed-vulnerabilities-explained-98135

Snort and Suricata rules:
http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/
http://blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/
https://lists.emergingthreats.net/pipermail/emerging-sigs/2014-April/024056.html

LOCAL SCANNERS


An NMAP script to check if a server is vulnerable (note: originally only checked on of the three TLS versions):
http://seclists.org/nmap-dev/2014/q2/att-25/ssl-heartbleed.nse

A MetaSploit module:
http://www.rapid7.com/db/modules/auxiliary/scanner/ssl/openssl_heartbleed

Even better, a MetaSploit module for exploiting clients:
http://www.rapid7.com/db/modules/auxiliary/server/openssl_heartbeat_client_memory

A scanner I've been really pleased with:
https://gist.github.com/takeshixx/10107280

Another python-based scanner, checks all TLS versions:
https://gist.github.com/jpicht/10114168

*Another* python-based scanner, this time for checking your clients:
https://github.com/Lekensteyn/pacemaker

Another server scanner my co-workers have been really pleased with:
https://github.com/FiloSottile/Heartbleed

An excellent, fast server scanner called masscan now has heartbleed support:
https://github.com/robertdavidgraham/masscan

WEB-BASED SCANNERS


Enter your server's <host>.<domain> to see if it is vulnerable:
http://filippo.io/Heartbleed/

This one, courtesy of Qualys, gives a really nice health check:
https://www.ssllabs.com/ssltest/

OS Advisories And Updates


Ubuntu
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0160.html

Debian
https://security-tracker.debian.org/tracker/CVE-2014-0160

RHEL
http://rhn.redhat.com/errata/RHSA-2014-0376.html

CentOS
http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html

Gentoo
http://www.gentoo.org/security/en/glsa/glsa-201404-07.xml

Cygwin (okay, not a distribution, but they were second only behind Gentoo in patching)
http://cygwin.com/packages/x86/libopenssl100/

FreeBSD
http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc

A New Year, A New Lab -- libvirt and kvm

For years I have done the bulk of my personal projects with either virtualbox or VMWare Professional (all of the SANS courses use VMWare). R...