AppCheck NG updated to discover Critical OpenSSL bug “Heartbleed”

UPDATE (11/04/2014):  Proof of Concept exploit module added to Appcheck NG: Screenshot

On 7th April 2014 a group of security researchers disclosed a critical security flaw in the popular cryptographic software library OpenSSL.

The Heartbleed Bug allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.

OpenSSL is the most popular open source library for providing encrypted SSL communications on the Internet and therefore there is a high chance that this flaw will affect your network and applications.

The Sec-1 AppCheck NG Web Application and Infrastructure vulnerability scanner has already been updated with a plugin to detect the flaw.

Heartbleed vulnerability discovery using AppCheck NG

  • Scan IPs and URLs for the “Heartbleed” vulnerability
  • Infrastructure and Web Applications will be scanned for all other classes of vulnerability including missing patches, SQL Injection, and Cross Site Scripting
  • Register now for your scan – Click here

What does the flaw allow the attacker to achieve?

The vulnerability allows the attacker to read 64KB chunks of process memory form the affected OpenSSL implementation. This could allow the extraction of private keys, user credentials, web server session id’s and other sensitive information.

Which services are likely to be affected?

Common services affected by this flaw include:

  • The Apache Web Server
  • Various Mail Server Platforms
  • VPN and Firewall SSL interfaces
  • Proxy servers such as NGINX

What versions of the OpenSSL are affected?

  • Status of different versions:
  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

Where can I find further information?

Read more about this bug here, or for more information on AppCheck NG call us on 01924 284 240.

You can also download an AppCheck PDF here.

This entry was posted in Advisories, News and tagged , , , . Bookmark the permalink.

Comments are closed.