Educause Security Discussion mailing list archives
Re: Finding Servers Using OpenSSL SSL/TLS
From: "Scherck, Daniel" <scherckd () EVERGREEN EDU>
Date: Fri, 11 Apr 2014 18:28:44 +0000
Note that this method is not an actual test of the exploit, but rather a test to find potentially vulnerable targets that should be examined more closely. Dan Scherck The Evergreen State College From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Scherck, Daniel Sent: Friday, April 11, 2014 11:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Finding Servers Using OpenSSL SSL/TLS You can check for the basic heartbeat vulnerability using an OpenSSL client, presuming you can hit the server from your location: openssl s_client -connect <servername>:443 -tlsextdebug | grep "server extens" The result should spit back a few lines listing the TLS Extensions detected on the server, and as long as there isn't one that says "heartbeat" you should be ok. See this link: http://www.hacklabs.com/team-penetration-testing/2014/4/8/testing-for-the-tls-heartbleed-vulnerability.html Example response with heartbeat: TLS server extension "heartbeat" (id=15), len=1 Dan Scherck The Evergreen State College From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Pratt, Benjamin E. Sent: Friday, April 11, 2014 11:20 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Finding Servers Using OpenSSL SSL/TLS This would work but is there a way to do this remotely? I can certainly ask distributed admins to run this command on their systems but is there a way for me to remotely check what they may be using to encrypt the SSL stream? The only way that I can think of would be to look for implementation inconsistencies between systems, similar to an Nmap OS fingerprinting check, but I was hoping there would be an easier/existing way. Thanks, Ben -- Benjamin Pratt St. Cloud State University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Peter Setlak Sent: Friday, April 11, 2014 12:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Finding Servers Using OpenSSL SSL/TLS Along with watching for SSL traffic, we've been checking systems that may have OpenSSL installed and running: ./openssl version Hoping they come back 0.98 (or at least not 1.0.1[-f]). On Fri, Apr 11, 2014 at 1:11 PM, Joel L. Rosenblatt <joel () columbia edu<mailto:joel () columbia edu>> wrote: We have been running a ssltest python script (from https://gist.github.com/jpicht/10114168) and verifying the results with the http://filippo.io/Heartbleed web site We have repaired all but 1 or 2 at this point - the process will keep on running to catch new ones that will pop up Thanks, Joel Joel Rosenblatt, Director Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033<tel:%20212%20854%203033> http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3 On Fri, Apr 11, 2014 at 12:52 PM, Steven Carmody <steven_carmody () brown edu<mailto:steven_carmody () brown edu>> wrote:
On 4/11/14 12:49 PM, Joel L. Rosenblatt wrote:We keep a constantly updating list of any IP address that accepts connections on port 443 using netflow information, we test them for the Heartbleed bug and inform the machine owner if they have a problemCan you provide any more detailing info about how you test machines for the Heartbleed vulnerability ? Are you looking at the headers that returned, or doing something else ?
-- Thank you, Peter J. Setlak Network Security Analyst, GSEC, GLEG, GCPM Colgate University --- psetlak () colgate edu<mailto:psetlak () colgate edu> (315) 228-7151 Case-Geyer 450 Colgate IT Security - http://colgate.edu/itsecurity Think Green! Please consider the environment before printing this email. Engage with Colgate University: News blog<http://blogs.colgate.edu/>, Twitter<https://twitter.com/#%21/colgateuniv>, Facebook<https://www.facebook.com/colgateuniversity>, Google+<https://plus.google.com/u/0/b/113333907606560373469/>, Delicious<http://www.delicious.com/colgatenewsmakers>, YouTube<http://www.youtube.com/cuatchannel13>, Flickr<http://www.flickr.com/photos/colgateuniversity/>, Pinterest<http://pinterest.com/colgateuniv/>, LinkedIn<http://www.linkedin.com/company/colgate-university/>
Current thread:
- Re: Finding Servers Using OpenSSL SSL/TLS, (continued)
- Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Cheryl O'Dell (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Steven Carmody (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Joel L. Rosenblatt (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Ken Connelly (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Tim Doty (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Peter Setlak (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Pratt, Benjamin E. (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Scherck, Daniel (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Scherck, Daniel (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Valdis Kletnieks (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Danny Schales (Apr 11)
- Re: Finding Servers Using OpenSSL SSL/TLS Kevin Wilcox (Apr 11)