​This is serious. While IDS/IPS ​may be programmed to "detect" it at this point it is too late because the hacker has already obtained the keys to the kingdom.  Just had a security code development seminar today with contracted pen-testers and this was a very hot topic.  If Heartbeat is enabled on your server and a hacker attempts a TSL handshake with something other than a zero value after the initial "hello" than the server will send the contents of the last cached memory back to the hacker.  If this is a web server running Apache, Apache will gladly package the contents of it's cache back to the server including SESSION cookies and  SSL encryption keys still in memory.

The pen-testers we spoke with today said that they know of a hacker site that went up 5 hours after the notice and started exploiting web servers.  They have tested this on there systems and have been able to pull SSL keys, SESSION cookies, they had everything need to open the SESSION contents where they had usernames and passwords.

My understanding is that unless IDS/IPS has been programmed to compare the incoming and outgoing handshake, there will be no log information from the server of the event.  So in other words you may not know if you have been exploited or not. Worst case you have encryptions keys and and users SESSION contents out in the wild, and you find out when customer's banks fraud departments start calling.



On Tue, Apr 8, 2014 at 10:00 AM, jill <lists@bespokess.com> wrote:
Patches have been released overnight for:

CentOS 6.x: http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
RHEL 6.x: https://access.redhat.com/security/cve/CVE-2014-0160  https://rhn.redhat.com/errata/RHSA-2014-0376.html
Debian 7/Wheezy, 6/Squeeze via the security repo (make sure you have http://security.debian.org/ enabled): https://security-tracker.debian.org/tracker/CVE-2014-0160
Ubuntu 12.04, 12.10, 13.04: http://www.ubuntu.com/usn/usn-2165-1/

apt-get update / yum upgrade should do it.

Patch, patch, patch your servers, gently down the tubes... merrily, merrily, merrily, merrily, re-issue your certs.

Jill



On 2014-04-07 20:56, der.hans wrote:

> 
> Based on the following page:
> 
> OpenSSL heartbeat is enabled even if you're not using it unless you
> disabled it at compile time.
> 
> The vulnerability has been in place for two years ( version 1.0.1 up until
> 1.0.1g that was just released ).
> 
> It can be exploited to reveal your private key without leaving a trace.
> 
> IDS can probably be configured to detect the attack.
> 
> http://heartbleed.com/
> 
> ciao,
> 
> 
>

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss



--
James

Linkedin