Incident Response, TDR, Vulnerability Management

Most Heartbleed detection tools have bugs of their own, firm finds

A security firm found that many widely available tools used to detect the Heartbleed vulnerability, may give companies a “false sense of security.”

On Monday, Adrian Hayter, a pen tester at London-based CNS Hut3, revealed that many of the tools have bugs themselves, which result in false negative test results.

Specifically, Hayter discovered three bugs while testing against different server configurations – issues related to servers that don't support TLSv1.1 or TLS cipher suites, and another problem where downloading server responses during testing timed out due to sluggish connections.

In the test, 13 out of 15 Heartbleed detection tools, including those from Metasploit, Nmap and McAfee, failed to detect impacted services.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.