心臟滴血(CVE-2014-0160)檢測與防御

目錄

• 用Nmap檢測
• 修復建議

---

用Nmap檢測

nmap -sV --script=ssl-heartbleed [your ip] -p 443

有心臟滴血漏洞的報告：

➜  ~ nmap -sV --script=ssl-heartbleed 111.X.X.53 -p 443
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-22 12:10 CST
Nmap scan report for 111.X.X.53
Host is up (0.040s latency).

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http nginx
| ssl-heartbleed:
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
|     References:
|       http://www.openssl.org/news/secadv_20140407.txt
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_      http://cvedetails.com/cve/2014-0160/

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.26 seconds

沒有心臟滴血漏洞的報告：

➜  ~ nmap -sV --script=ssl-heartbleed 39.156.69.79 -p 443
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 07:59 CST
Nmap scan report for 39.156.69.79
Host is up (0.0091s latency).

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Baidu Front End httpd 1.0.8.18
|_http-server-header: bfe/1.0.8.18

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.99 seconds

修復建議

1. 若發現出現漏洞的服務器，立刻下線，避免其繼續暴露敏感信息。
2. 停止舊版本的SSL服務，升級新版SSL服務。