美文网首页
OpenSSL Heartbeat Information Di

OpenSSL Heartbeat Information Di

作者: 九月莲灿 | 来源:发表于2019-09-30 00:12 被阅读0次

    1. 漏洞报告

    image.png

    2. 漏洞介绍

               OpenSSL是OpenSSL团队开发的一个开源的能够实现安全套接层(SSL v2/v3)和安全传输层(TLS v1)协议的通用加密库,它支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。
               OpenSSL的TLS和DTLS实现过程中的d1_both.c和t1_lib.c文件中存在安全漏洞,该漏洞源于当处理Heartbeat Extension数据包时,缺少边界检查。远程攻击者可借助特制的数据包利用该漏洞读取服务器内存中的敏感信息(如用户名、密码、Cookie、私钥等)。

    3. 漏洞危害

    攻击者可以通过构造特殊的数据包,直接远程读取存在漏洞的OpenSSL服务器内存中多达64KB的数据,极有可能导致网站用户帐号密码等敏感数据被非法获取。

    4. 漏洞检测

    4.1 Nmap检测

    C:\Users\KonLaLe>nmap -sS -sV -p 8443 --script="ssl-heartbleed.nse" 192.168.56.129
    Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-29 23:29 ?D1ú±ê×?ê±??
    Nmap scan report for 192.168.56.129
    Host is up (0.0010s latency).
    
    PORT     STATE SERVICE  VERSION
    8443/tcp open  ssl/http nginx 1.4.0
    |_http-server-header: nginx/1.4.0
    | ssl-heartbleed:
    |   VULNERABLE:
    |   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
    |     State: VULNERABLE
    |     Risk factor: High
    |       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
    |
    |     References:
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
    |       http://www.openssl.org/news/secadv_20140407.txt
    |_      http://cvedetails.com/cve/2014-0160/
    MAC Address: 00:0C:29:3E:BA:70 (VMware)
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 14.68 seconds
    

    5. 漏洞修复

    1. 受影响的用户应升级到OpenSSL 1.0.1g。
    2. 用户无法立即升级也可以使用-dopenssl_no_heartbeats重新编译openssl。

    相关文章

      网友评论

          本文标题:OpenSSL Heartbeat Information Di

          本文链接:https://www.haomeiwen.com/subject/jgkouctx.html