Re: OpenSSL vuln

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: James Dugger
Date:  
To: Main PLUG discussion list
Subject: Re: OpenSSL vuln
​This is serious. While IDS/IPS ​may be programmed to "detect" it at this
point it is too late because the hacker has already obtained the keys to
the kingdom. Just had a security code development seminar today with
contracted pen-testers and this was a very hot topic. If Heartbeat is
enabled on your server and a hacker attempts a TSL handshake with something
other than a zero value after the initial "hello" than the server will send
the contents of the last cached memory back to the hacker. If this is a
web server running Apache, Apache will gladly package the contents of it's
cache back to the server including SESSION cookies and SSL encryption keys
still in memory.

The pen-testers we spoke with today said that they know of a hacker site
that went up 5 hours after the notice and started exploiting web servers.
They have tested this on there systems and have been able to pull SSL
keys, SESSION cookies, they had everything need to open the SESSION
contents where they had usernames and passwords.

My understanding is that unless IDS/IPS has been programmed to compare the
incoming and outgoing handshake, there will be no log information from the
server of the event. So in other words you may not know if you have been
exploited or not. Worst case you have encryptions keys and and users
SESSION contents out in the wild, and you find out when customer's banks
fraud departments start calling.



On Tue, Apr 8, 2014 at 10:00 AM, jill <> wrote:

> Patches have been released overnight for:
>
> CentOS 6.x: http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
> RHEL 6.x: https://access.redhat.com/security/cve/CVE-2014-0160 <https://access.redhat.com/security/cve/CVE-2014-0160> https://rhn.redhat.com/errata/RHSA-2014-0376.html
> Debian 7/Wheezy, 6/Squeeze via the security repo (make sure you have http://security.debian.org/ enabled): https://security-tracker.debian.org/tracker/CVE-2014-0160
> Ubuntu 12.04, 12.10, 13.04: http://www.ubuntu.com/usn/usn-2165-1/
>
> apt-get update / yum upgrade should do it.
>
> Patch, patch, patch your servers, gently down the tubes... merrily, merrily, merrily, merrily, re-issue your certs.
>
> Jill
>
>
>
> On 2014-04-07 20:56, der.hans wrote:
>
> >
> > Based on the following page:
> >
> > OpenSSL heartbeat is enabled even if you're not using it unless you
> > disabled it at compile time.
> >
> > The vulnerability has been in place for two years ( version 1.0.1 up until
> > 1.0.1g that was just released ).
> >
> > It can be exploited to reveal your private key without leaving a trace.
> >
> > IDS can probably be configured to detect the attack.
> >
> > http://heartbleed.com/
> >
> > ciao,
> >
> >
> >
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>




--
James

*Linkedin <http://www.linkedin.com/pub/james-h-dugger/15/64b/74a/>*
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss