0 Replies Latest reply on Jul 9, 2015 12:41 PM by Robert Stinnett

    OpenSSL CVE-2015-1793 Forgery Check

    Robert Stinnett

      Hey everyone,


      I was asked this morning if we were vulnerable to this flaw (documented at http://openssl.org/news/secadv_20150709.txt).  I threw this together real quick. I know there are other ways of doing it, but this was a simple and quick method that allowed us to check all our servers and be done with it.


      Step 1.  Created an Extended Object for Linux Servers running remotely with the following command:


      openssl version | grep -e 1.0.2c -e 1.02.b -e 1.0.1n -e 1.01o > /dev/null && echo "OpenSSL vulnerable" || echo "OpenSSL not vulnerable"


      Step 2.  Ran an audit against a server that was "not vulnerable".


      Step 3.  Read the results ;-)


      Hope this can help someone else.  Cheers!


      Robert Stinnett