Metasploit 4.9.0 and earlier vulnerable to Heartbleed, update 4.9.1 addresses critical cases

The Metasploit editions Metasploit Pro, Metasploit Express, and Metasploit Community in versions 4.9.0 or earlier are vulnerable to the OpenSSL Heartbleed Vulnerability (CVE-2014-0160). Please update to version 4.9.1 to remediate critical vulnerabilities. See below for remediation instructions.

Metasploit Framework itself is not affected, but it has dependencies on other components that may need to be updated. If you have installed Metasploit Framework through GitHub, please check these dependencies yourself (listed below) and update them. If you have used the Metasploit binary installer from Rapid7.com, you will have all below the dependencies on your system, and your Metasploit update will update each one of them. For more information, please see the remediation steps below.

Due to the nature of the vulnerability, SSL key material and passwords should be assumed to be compromised and changed.

Affected Metasploit dependencies

In the aforementioned Metasploit versions, the following Metasploit components use a vulnerable version of OpenSSL that needs to be updated:

  • Nginx
  • Ruby
  • Nmap
  • Postgres

In the aforementioned Metasploit versions, the following Metasploit components use a non-vulnerable version of OpenSSL:

  • Meterpreter

How to remediate the Heartbleed vulnerability in Metasploit

If you are running these versions, please follow the following steps to remediate the vulnerability:

  • Update Metasploit and its dependencies to a non-vulnerable version
    • If you installed Metasploit using the binary installer from Rapid7.com
      • Enter the Metasploit Web UI at https://<METASPLOIT_IP>:3790/
      • Go to the Administration menu and choose the Software Update option.
      • Follow the instructions on your screen to update the software to version 4.9.1 or higher.
    • If you are using the pre-installed Metasploit version on Kali Linux
      • On the command line, run: apt-get update && apt-get dist-upgrade
      • Kali Linux synchronizes its repositories with Debian every 6 hours
      • Verify that Nginx, Ruby, nmap and Postgres have updated to non-vulnerable versions
    • If you have used GitHub to install Metasploit Framework
      • Metasploit itself is not vulnerable, but you should check that you're running non-vulnerable versions of Ruby, nmap, and Postgres
  • Replace SSL keys that may have been compromised (Metasploit Pro/Express/Community only)
    • Stop Metasploit (linux: /etc/init.d/metasploit stop,  windows: Start Menu -> Metasploit -> Services -> Stop Metasploit)
    • Remove all files from INSTALL_DIRECTORY/apps/pro/nginx/cert (specifically ca.crt, server.crt, and server.key)
    • Start Metasploit (linux: /etc/init.d/metasploit start, windows: Start Menu -> Metasploit -> Services -> Start Metasploit)
    • Metasploit will regenerate new self-signed SSL keys.  You will need to accept these in your browser when visiting https://<METASPLOIT_IP>:3790/
  • Change all Metasploit Pro/Express/Community user passwords that may have been compromised

Updating to Metasploit 4.9.1 solves the most pressing Heartbleed vulnerabilities but does not address low-risk vulnerability in nmap

While Metasploit version 4.9.1 updates Heartbleed vulnerabilities to protect Metasploit users from the most pressing risks posed through nginx, Postgres and Ruby, it does not update nmap and nmap will still be vulnerable. Rapid7 will make the update to nmap available in the near future and believes that the current level of vulnerability in nmap poses acceptable risk in the short term:

Nmap uses client-slide OpenSSL to scan services. An attacker would have to set up an SSL-enabled web server on the target network that you are scanning and actively exploit the Heartbleed vulnerability when you scan it. Heartbleed does not grant code execution on the machine, just information disclosure for the process-specific memory. Nmap does not use credentials for scanning and all scanning data it keeps in memory could be obtained by simply scanning the network. There is also a small chance that an attacker would be able to crash the nmap process.

Rapid7 believes that the Heartbleed vulnerability in nmap poses acceptable risk and that remediating all other Heartbleed vulnerabilities immediately outweighes waiting until we have tested a non-vulnerable version of nmap. However, we are working on providing an updated Metasploit version that includes a non-vulnerable and quality tested version of nmap as soon as possible. Updates to this status will be advertised in this blog post.

Metasploit 4.9.1 and Nexpose both include scanners for Heartbleed vulnerabilities

You can now also use all Metasploit editions to scan your network for other server-side Heartbleed OpenSSL vulnerabilities. Find out more in this blog post. Rapid7's vulnerability management solution, Nexpose, also has vulnerability checks for Heartbleed vulnerabilities.

Learn how to protect your organization from Heartbleed

Metasploit is by far not the only application affected by Heartbleed. To learn how to strategically think about addressing this vulnerability in your organization, watch our free webcast with Trey Ford "Heartbleed War Room: Briefing, Strategy and Q&A (on demand).

UPDATE: Metasploit release 4.9.2 available, addresses nmap Heartbleed vulnerabilities (4/11/14, 2:20pm EDT)

Metasploit update 4.9.2 is now available, addressing the remaining low-risk Heartbleed vulnerability in the nmap scanner that is installed with the Metasploit binary installer. Please update your Metasploit edition using the  Metasploit web UI in the Administration menu under the Software Update option. Because the nmap vulnerability does not have the risk of leaking private data, you do not have to change SSL key material or passwords after this update.

NOTE: This update does not affect Metasploit on Kali Linux, which uses the Kali-provided nmap version. Please verify that the nmap version you are using on Kali Linux is up to date and not vulnerable.

If you have questions on this topic, please post a comment under this blog post or open a new discussion topic. If you are a Rapid7 customer, please feel free to contact our technical support team or your account executive for assistance.