openSSL heartbleed vulnerability - test with eapol_test?

Jouni Malinen j
Tue Apr 8 07:51:08 PDT 2014


On Tue, Apr 08, 2014 at 12:59:16PM +0300, Jouni Malinen wrote:
> Yes, I was planning on implementing this in the reverse direction for
> testing EAP peer side similarly to what I've already implemented for
> number of other TLS issues. It should be straightforward to extend the
> design to work against EAP server side as well so that this would be an
> option in eapol_test.

A quick update on this.. I do have such a tool now, but I'm not planning
on making it public today or for couple of days to give some more time
for server side updates should any EAP server be vulnerable (it is way
too easy to convert that tool to an attack tool over wireless..).

Anyway, it looks like misuse of OpenSSL APIs prevents most attack
options for this case, so this may be somewhat less critical for EAP
servers compared to other uses of TLS. I tested with couple RADIUS
authentication servers and could not trigger the issue due to reasons
that I confirmed to be because of incorrect OpenSSL API use..  (For
completeness, I did fix one such case to verify that the test tool works
and to confirm that this was indeed "safer" due to incorrect API use.).
 
-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list