Though the OpenSSL Heartbleed vulnerability (CVE-2014-0160) has been known since April of 2014, it continues to affect websites almost five years later.
Heartbleed refers to an information disclosure vulnerability in the TLS and DTLS implementations in outdated OpenSSL versions that can lead to the exposure of private encryption keys.
The name "Heartbleed" alludes to how the OpenSSL vulnerability works.
The TLS protocol contains a feature called the heartbeat extension. It allows TLS connections to remain open even though no data may be actively or regularly using the connection for a period of time. Instead of timing out, if the client sends a TLS heartbeat request periodically to the web server, the session will remain open, instead of having to be reestablished.
Versions 1.0.1 of the popular OpenSSL cryptographic software, through 1.0.1.g, handle the heartbeat extension packets incorrectly. A normal heartbeat request packet contains both the payload as well as a number specifying the payload length. But, the vulnerable version of OpenSSL does not check to make sure the payload length value provided is actually correct.
In a Heartbleed attack, a malicious party can claim in the request that the payload length is bigger than it actually is. The vulnerable OpenSSL server does not check the actual size of the request packet before crafting its response -- and instead pads the response to match the claimed size of the request, copying information out of process memory to do so.
That is the "bleed": server memory that includes whatever sensitive data that OpenSSL still had in memory. Compromised information may include credentials, session cookies, emails, messages, and financial data. It can also include private encryption keys that can be used to decrypt sensitive data sent over the TLS session has now been sent to an attacker.
The keys are of particular concern. Since the security of SSL/TLS encryption depends on keeping those private keys secret, the fact that they have been revealed has rendered any data encrypted based on those keys insecure.
To protect your clients and your business, you need to identify all web servers on your network and ensure that they are no longer running a cryptographic software library vulnerable to the Heartbleed bug.
In addition to being a full-featured web application security scanner, Netsparker can identify whether your web servers are still vulnerable to the Heartbleed vulnerability.
Netsparker is versatile and scalable. If your business wants to scan specifically for Heartbleed, the IT security team can easily configure a scan using that individual vulnerability check. Or, the test can be run along with a more extensive suite of web application tests. Our vulnerability scanner comes in both a standalone Microsoft Windows version as well as an online hosted, and self-hosted edition, so you can choose which version fits best with your security team and infrastructure.
Just as with our web application tests, you have the advantage of Proof-Based Scanning™. Unlike other vulnerability scanners, Netsparker's Heartbleed test is not a simple banner grab. You see more than just whether the server is running a vulnerable version of OpenSSL.
Instead, Netsparker Web Application Security Scanner provides a memory dump: showing what it sent to the TLS server, and what information it was able to pull from memory in addition to the heartbeat response. These dead accurate results mean you can see for yourself what sensitive information is at risk, and if the Heartbleed vulnerability is found, you can easily justify an upgrade to the infrastructure team and to executives.
Don't let Heartbleed compromise the security of your clients' and customers' sensitive data. Contact us for a free demo of Netsparker Web Application Security Scanner today, and learn how easy it is to make sure that your web servers are keeping the promise of SSL/TLS encryption.