Heartbleed: Serious OpenSSL zero day vulnerability revealed

From A taxonomy of Heartbleed attacks:

 

Tech giants, chastened by Heartbleed, finally agree to fund OpenSSL.

-- Tom

 

How To Detect Heartbleed Mutations.

-- Tom

 

Don't know if this has been posted somewhere but i found this while looking for a fix in Puppy Linux..

Find out if your server is affected
Run the command:

openssl version

to get the version number of openssl. If the command shows e.g.:

openssl version
OpenSSL 1.0.1e 11 Feb 2013

then your server might be vulnerable as the version is below 1.0.1g. But some Linux distributions patch packages, see below for instructions to find out if the package on your server has been patched.

If your server uses a 0.9.8 release like it is used on Debian squeeze, then the server is not vulnerable as the heartbeat function has been implemented in OpenSSL 1.0.1 and later versions only.

openssl version
OpenSSL 0.9.8o 01 Jun 2010

http://www.howtoforge.com/find_out_...ed_vulnerability_cve-2014-0160_and_how_to_fix

 

http://blog.trendmicro.com/trendlab...lnerable-to-heartbleed-plunges-by-two-thirds/

 

i found a fix "that works" in Linux and there's one for Mac as well..

steps ( For Linux )
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -xvzf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config --prefix=/usr/
make
sudo make install

steps ( for mac )
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -xvzf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./Configure darwin64-x86_64-cc --prefix=/usr
make
sudo make install

http://www.computersnyou.com/3155/2014/04/update-install-openssl-source-latest-version/

 

http://threatpost.com/siemens-update-on-heartbleed-patches-in-ics-scada

 

Searching for The Prime Suspect: How Heartbleed Leaked Private Keys.

-- Tom

 

Heartbleed: Why aren’t certificates being revoked?

 

Heartbleed used to uncover data from cyber-criminals.

.

-- Tom

 

http://threatpost.com/the-white-house-and-zero-day-sleight-of-hand

 

It’s Crazy What Can Be Hacked Thanks to Heartbleed

 

*NEW* Community Tool: CrowdStrike Heartbleed Scanner
Apr 18, 2014 | Dmitri Alperovitch, Co-Founder & CTO
Since last week, several researchers and security companies have released free web-based scanners for the OpenSSL Heartbleed (CVE-2014-0160) vulnerability independently revealed on April 7th. While these may be great and easy to use tools to determine if your public website may be vulnerable to this issue (although, some have been found not to be very accurate), we realized that there was a largely unmet demand for an easy to use UI tool capable of also scanning the internal networks and non-HTTPS services for this vulnerability since this problem is so much bigger than just external websites.

Today we are happy to release a new free community CrowdStrike Heartbleed Scanner built by our very own Robin Keir, CrowdStrike community tool developer extraordinaire. With this tool, you can now easily scan your Intranet SSL websites, OpenSSL VPNs, Secure FTP servers, Databases, Secure SMTP/POP/IMAP email servers, routers, printers, phones, and anything else that may have been compiled with OpenSSL 1.0.1-1.0.1f.

In addition to the ability to show the list of vulnerable servers, the scanner also outputs the contents of the the 64kb of memory that a vulnerable server returns back to the heartbeat SSL request allowing you to see the extent of the impact of this vulnerability on your devices and services.

http://www.crowdstrike.com/blog/new-community-tool-crowdstrike-heartbleed-scanner/

 

@ Justintime123

Re - CrowdStrike Heartbleed Scanner

Already posted by lotuseclat79 in Post #193. For some reason/s Nobody responded ? apart from me. I tried it in Post #196 & still no response ?

 

What happend to Post #216 ?

 

http://arstechnica.com/security/201...the-internet-remain-vulnerable-to-heartbleed/

 

CASC Heartbleed Response

Google moved away from supporting OCSP without adequately informing Chrome users of this
fact. Although IE and Safari also soft-fail if an OCSP response is not received, those
browsers still use OCSP by default.
The engineers creating those browsers apparently have not concluded that OCSP is broken.
Even if revocation checking by OCSP isn’t 100 percent accurate, it can still protect a high
percentage of users who navigate to a site with a revoked certificate and receive an OCSP
response indicating revocation. Turning off revocation checking for everyone means that no
one is protected.

The CASC agrees that OCSP Stapling, and putting OCSP Must-Staple extensions in certificates, is
one of the best solutions to address many issues with revocation at this time. But until
that happens, we oppose browsers removing (non-stapled) OCSP checks.

https://casecurity.org/2014/05/08/casc-heartbleed-response/

 

New Heartbleed attack hits Android devices and routers over Wi-Fi

 

Over 300,000 servers remain vulnerable to Heartbleed after initial wave of patches

 

Critical industrial control systems remain vulnerable to Heartbleed exploits

http://arstechnica.com/security/201...ems-remain-vulnerable-to-heartbleed-exploits/

 

97% of Global 2000 remain vulnerable to due to Heartbleed

http://www.net-security.org/secworld.php?id=17180