OpenSSL vuln

[der.hans]

Am 09. Apr, 2014 schwätzte James Dugger so:

moin moin James,

yup. If you're using a version with the bug, you need to upgrade now and
immediately generate new keys.

https://www.mattslifebytes.com/?p=533

If you're still running it at this point, then you should also notify
anyone who has logged in via your service in the last couple days.

For those of us who use secure sites, we should verify the site has been
updated, then immediately change our password. If the site has security
questions, then those should be changed as well. If you're not already
using something like KeePassX, then now is a good time to start.

Find out if a site is vulnerable:

https://www.ssllabs.com/ssltest/

Detect on your own:

https://github.com/decal/ssltest-stls/blob/master/ssltest-stls.py

ciao,

der.hans

> ​This is serious. While IDS/IPS ​may be programmed to "detect" it at this
> point it is too late because the hacker has already obtained the keys to
> the kingdom.  Just had a security code development seminar today with
> contracted pen-testers and this was a very hot topic.  If Heartbeat is
> enabled on your server and a hacker attempts a TSL handshake with something
> other than a zero value after the initial "hello" than the server will send
> the contents of the last cached memory back to the hacker.  If this is a
> web server running Apache, Apache will gladly package the contents of it's
> cache back to the server including SESSION cookies and  SSL encryption keys
> still in memory.
>
> The pen-testers we spoke with today said that they know of a hacker site
> that went up 5 hours after the notice and started exploiting web servers.
> They have tested this on there systems and have been able to pull SSL
> keys, SESSION cookies, they had everything need to open the SESSION
> contents where they had usernames and passwords.
>
> My understanding is that unless IDS/IPS has been programmed to compare the
> incoming and outgoing handshake, there will be no log information from the
> server of the event.  So in other words you may not know if you have been
> exploited or not. Worst case you have encryptions keys and and users
> SESSION contents out in the wild, and you find out when customer's banks
> fraud departments start calling.
>
>
>
> On Tue, Apr 8, 2014 at 10:00 AM, jill <lists at bespokess.com> wrote:
>
>>  Patches have been released overnight for:
>>
>> CentOS 6.x: http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
>> RHEL 6.x: https://access.redhat.com/security/cve/CVE-2014-0160  <https://access.redhat.com/security/cve/CVE-2014-0160> https://rhn.redhat.com/errata/RHSA-2014-0376.html
>> Debian 7/Wheezy, 6/Squeeze via the security repo (make sure you have http://security.debian.org/ enabled): https://security-tracker.debian.org/tracker/CVE-2014-0160
>> Ubuntu 12.04, 12.10, 13.04: http://www.ubuntu.com/usn/usn-2165-1/
>>
>> apt-get update / yum upgrade should do it.
>>
>> Patch, patch, patch your servers, gently down the tubes... merrily, merrily, merrily, merrily, re-issue your certs.
>>
>> Jill
>>
>>
>>
>> On 2014-04-07 20:56, der.hans wrote:
>>
>>>
>>> Based on the following page:
>>>
>>> OpenSSL heartbeat is enabled even if you're not using it unless you
>>> disabled it at compile time.
>>>
>>> The vulnerability has been in place for two years ( version 1.0.1 up until
>>> 1.0.1g that was just released ).
>>>
>>> It can be exploited to reveal your private key without leaving a trace.
>>>
>>> IDS can probably be configured to detect the attack.
>>>
>>> http://heartbleed.com/
>>>
>>> ciao,
>>>
>>>
>>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
>
>
>

-- 
#  http://www.LuftHans.com/        http://www.LuftHans.com/Classes/
#  When I work, I work hard. When I play, I play hard.
#  When I sit, I sleep. - Embe Kugler