Metasploit 4.9.2 and earlier vulnerable to OpenSSL vulnerabilities

The OpenSSL team today published a security advisory containing several critical vulnerabilities. The Metasploit editions Metasploit Pro, Metasploit Express, Metasploit Community and Metasploit Framework in versions 4.9.2 or earlier are vulnerable to these OpenSSL vulnerabilities, most notably CVE-2014-0224 and CVE-2014-0221. CVE-2014-0224 is exploited by Man-in-the-Middle (MITM) attacks that reduce the encryption strength of an SSL connection and therefore potentially expose transmitted data. CVE-2014-0221 is most likely to be limited to crashing systems using OpenSSL and is therefore a lesser concern.

Rapid7 is currently working on a security update and will announce its availability in this blog post as soon as it becomes available. To get alerted when this blog post is updated, please click the "Follow in" and select the "Email Update" option; please ensure that your Security Street preferences are set so that Security Street messages are forwarded to your email inbox.

How can I protect myself until an update is available?

Until the update is available and has been applied, Metasploit users should:

  • Only access the Metasploit web interface from a non-vulnerable browser. For the MITM attack to be successful, both the server and the client have to be vulnerable. The browsers officially supported by Metasploit are all non-vulnerable (see System Requirements), making the MITM attack fail even if the server is vulnerable.
  • Refrain from opening sessions since the communication between Meterpreter and Metasploit uses OpenSSL encryption.

We are continuing to research the impact these vulnerabilities may have on users and the industry. Once an update is available and you have applied it, you should cycle Metasploit user passwords.

Which Metasploit components are affected?

The following Metasploit components are affected :

  • Nginx
  • Ruby & Rails
  • Nmap
  • Postgres
  • Meterpreter

Is the Metasploit team working on modules to exploit these vulnerabilities?

You bet. Unfortunately, Tod broke our time machine last week so we were unable to release our exploits at the same time as the vulnerability disclosure but we're doing our best to catch up. If you have successfully written a module addressing any of these vulnerabilities, please create a pull request. We also accept Dogecoin donations to contribute towards our deductible for the time machine insurance policy. We'll update this blog post as modules become available.

UPDATE: Metasploit 4.9.3 available, addresses OpenSSL vulnerabilities (Updated 6/6/14, 2pm EST)

Metasploit release 4.9.3 is now available, addressing these vulnerabilities. Release notes: Metasploit 4.9.3 (Update 2014060501)

Recommended update procedure:

  • Update Metasploit and its dependencies to a non-vulnerable version
    • If you installed Metasploit using the binary installer from Rapid7.com
      • Enter the Metasploit Web UI at https://<METASPLOIT_IP>:3790/
      • Go to the Administration menu and choose the Software Update option.
      • Follow the instructions on your screen to update the software to version 4.9.3 or higher.
    • If you are using the pre-installed Metasploit version on Kali Linux
      • NOTE: The dependencies nmap, Ruby on Rails, and Postgres are provided by Kali Linux and beyond our control. Please check the Kali Linux website for more info.
      • On the command line, run: apt-get update && apt-get dist-upgrade
      • Kali Linux synchronizes its repositories with Debian every 6 hours
      • Verify that Nginx, Ruby, nmap and Postgres have updated to non-vulnerable versions
    • If you have used GitHub to install Metasploit Framework
      • Update using msfupdate command.
      • Update your local dependencies of Ruby, nmap, and Postgres to non-vulnerable versions
  • Change all Metasploit Pro/Express/Community user passwords that may have been compromised

If you have questions on this topic, please post a comment under this blog post or open a new discussion topic. If you are a Rapid7 customer, please feel free to contact our technical support team or your account executive for assistance.

New Modules

Incidentally, Metasploit 4.9.3 also includes some new modules since the last release. We've been kind of up to our eyeballs with patching and researching vectors for the new OpenSSL issues, so here's a quick update of new material since the end of May.

Exploit modules

Auxiliary and post modules