The “Heartbleed bug” surfaced publicly in 2014. However, it debuted in software long before that in 2011. If you are not familiar with the HeartBleed bug here’s what you should know:
- The Heartbleed Bug was a vulnerability in the popular OpenSSL cryptographic software library.
- The Heartbleed bug was a memory leak of protected information.
- The Heartbleed bug affected the SSL/TLS and was said to be an implementation issue with older versions.
- The Heartbleed bug not only affected the Transport layer, it also affected the Presentation and Application layer as well, as it affected (HTTPS, SMTP, IMAP, POP3, FTP, and SSL) which is a combination of all 3 layers.
- The OpenSSL 1.0.1g released on 7th of April 2014 fixed the Heartbleed bug.
Fixing a bug does not mean we shouldn’t still keep an eye on it. In fact, the National Institute of Standards and Technology keeps a national vulnerability database and the “Heartbleed bug” is filed under CVE-2014-0160. “CVE” stands for Common Vulnerabilities and Exposures.
It is everyone’s job to be proactive and protect themselves and their end users against vulnerabilities and exploits. Here are 3 options for you to become comfortable with the process as a beginner:
TEST TOOL OPTION 1: SSL-TOOLS NET
- Navigate to: https://ssl-tools.net/heartbleed-test
- Type the domain name of your website in the “Test web servers” section
- Click “Test web servers”
- After clicking “Test web servers” you would see the below result.
TEST TOOL OPTION 2: PENTEST TOOLS
- Navigate to: https://pentest-tools.com/network-vulnerability-scanning/openssl-heartbleed-scanner
- Type the domain name of your website in the scan now input field
- Select Light Scan as Full Scan is part of the paid version
- Click scan now
- After clicking scan now you should see a similar result to the below.
TEST TOOL OPTION 2: NMAP Utility
For those of you who want to get really fancy and challenge yourself you can run a command using nmap:
I’m currently using a mac terminal so these instructions are based on a mac terminal. You may Google further for other options if necessary.
- Navigate to your mac terminal
- Before running the test you should ensure that you have the latest version of nmap
- Once you are at the terminal enter the nmap command with your hostname ip address. You can copy and paste the below and enter your ip address where the X’s are: nmap -sV xxx.xx.xx.xxx –script=ssl-heartbleed
NOTE: with nmap the “-sV” means: Probe open ports to determine service/version info
Below is an example of a healthy system. If you were vulnerable to heartbleed it would be listed in the port scan.
There are many tools on the internet that you can use to check your heartbleed vulnerability status. Take sometime to dig deeper.
If you’d like to see a full list of known vulnerabilities and exposures you can view them here.