openSSL heartbleed vulnerability - test with eapol_test?

Jouni Malinen j
Tue Apr 8 13:23:02 PDT 2014

On Tue, Apr 08, 2014 at 05:51:08PM +0300, Jouni Malinen wrote:
> A quick update on this.. I do have such a tool now, but I'm not planning
> on making it public today or for couple of days to give some more time
> for server side updates should any EAP server be vulnerable (it is way
> too easy to convert that tool to an attack tool over wireless..).
> Anyway, it looks like misuse of OpenSSL APIs prevents most attack
> options for this case, so this may be somewhat less critical for EAP
> servers compared to other uses of TLS. I tested with couple RADIUS
> authentication servers and could not trigger the issue due to reasons
> that I confirmed to be because of incorrect OpenSSL API use..  (For
> completeness, I did fix one such case to verify that the test tool works
> and to confirm that this was indeed "safer" due to incorrect API use.).

OK, that was a bit too optimistic. I found couple of cases where this
vulnerability can be triggered over EAP, so no public availability for
the test tool for now. Feel free to contact me privately if you have a
justifiable use for such a test tool. I'll probably push it to
eapol_test later once there has been some more time to get
authentication servers updated.
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list