Test tool available for checking if server is vulnerable

Jun 16, 2014 12:06 GMT  ·  By

Although a security patch was issued at the beginning of the month against the OpenSSL vulnerability (CVE-2014-0224) that allowed an attacker to decrypt and modify client-server traffic, plenty of servers seem to still be exposed to the threat.

A scan for hosts still open to the CVE-2014-0224 OpenSSL vulnerability, run by Qualys, showed that almost half (49%) of the verified servers fit the profile. Out of these, about 14% are exploitable.

CVE-2014-0224 received a fix on June 5 and it allowed an attacker to force the negotiation of weak keys between a server and a client. The flaw affects all OpenSSL clients, regardless of the OpenSSL version.

However, for the exploit to be successful, both the client and the server need to be vulnerable; in the case of servers, only those running versions 1.0.1 and 1.0.2-beta1 of OpenSSL subscribe.

Most of the web browsers do not rely on OpenSSL to provide a secure connection, but the problem is present on the Android platform, where the library is used by the browsers.

According to the Qualys post, all hosts (exploitable or not) found to be vulnerable to the above mentioned risk should be upgraded for fear of the possibility to fall victim to other methods that could exploit the issue.

The majority of the hosts verified by Qualys’ tool were running OpenSSL 1.0.1, while those exploitable were using versions 0.9.x or 1.0.0. The test tool is provided for all administrators who want to check their servers.