Heartbleed: Serious OpenSSL zero day vulnerability revealed

Thanks, this is a rather important one.

 

Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet | TechCrunch

Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping | Ars Technica

 

http://heartbleed.com/

 

Yeah, I also read this, and a lot of the Banks I use here in Asia are vulnerable (3 out of 4)

to test if your site is vulnerable check here -hxxp://filippo.io/Heartbleed-

or if you don't trust a site here is the script

-hxxp://s3.jspenguin.org/ssltest.py-

Some more background info here: -hxxps://medium.com/p/715b2260813d-

 

This vulnerability has existed for quite some time:
"Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug."

 

^ Yeah ridiculous

Also please note:

The updating of OpenSSL and a Reboot of the server ISN'T ENOUGH !!!

You also need to get a new certificate and you have to revoke the old one !!

 

So glad this happened before 14.04 LTS released.

 

See Ars Technica article: Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping
at: http://arstechnica.com/security/201...opens-two-thirds-of-the-web-to-eavesdropping/

"Exploits allow attackers to obtain private keys used to decrypt sensitive data."

-- Tom

 

I find it unlikely to be "two thirds of the web". That would assume two thirds has even bothered updating to the OpenSSL 1.0.1 series and that's unlikely considering the snail pace of the server update world. The older versions are not affected.

 

Wow

-hxxps://twitter.com/WarrenGuy/status/453510021930680320/photo/1-

 

Half a million widely trusted websites vulnerable to Heartbleed bug

LastPass and the Heartbleed Bug

 

‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys — Krebs on Security

 

From the link in post #13:

 

Advice from LastPass (post #12) that applies to everyone:

 

From http://www.theguardian.com/technolo...-at-risk-for-hundreds-of-thousands-of-servers (bolding by me):

 

SSLlabs server test now also tests for Heartbleed, Wilders is also vulnerable:
https://www.ssllabs.com/ssltest/analyze.html?d=wilderssecurity.com

Yahoo was also vulnerable, though it doesn't look like they have new keys/certs yet.

 

Test results of top 1000 websites

I believe that the listed test results for duckduckgo.com are wrong. Or maybe duckduckgo.com fixed its problem already.

 

See: OpenSSL Heartbleed Security Update
at: https://blog.heroku.com/archives/2014/4/8/openssl_heartbleed_security_update

Recommends:
1. Change your account password on websites with this vulnerability (after the website is patched!)
2. Create a new private key for the vulnerable website
3. Update your endpoint by getting your SSL certificate reissued

-- Tom

 

openssl.org is still vulnerable..
https://www.ssllabs.com/ssltest/analyze.html?d=openssl.org

 

AirVpn official response:

I wanted to paste their Staff response to the current discovered weakness. In my opinion their response is amazing, as always. Air is one of the three providers I will never leave!

Paste:
After a deeper analysis we would like to inform you about problems, solutions, what we did and what you need to do, in compliance with our transparency policy. The OpenSSL 1.0.1a-->f vulnerability is huge, but several factors in our infrastructure design made the menace a minor threat, without any potentially catastrophic consequence.

• some of our OpenVPN servers used a vulnerable OpenSSL version. They have been all updated and upgraded between 3 PM and 6 PM 08-Apr-14 CET+1. The non-updated VPN servers running branches of OpenSSL like 0.9.8 were not and are not vulnerable. Assuming that an attacker could steal your user.key during the handshake on those servers, the worst damage is that he/she will connect with your account in the future (see below for a solution to this problem). He/she will not be able to decrypt your OpenVPN Data Channel. Various factors help mitigate the problem even on those vulnerable VPN servers: the attacker could not perform an attack through the exit-IP address (he/she should have known the entry-IP) and Perfect Forward Secrecy does not allow the attacker to decrypt your data

• the primary frontend (the web site you normally visit) used a vulnerable OpenSSL version which has been upgraded at 3 PM 08-Apr-14 to a non-vulnerable version. All sessions were reset. The vulnerability allowed an attacker to dump a memory portion of the server which could disclose information useful to exploit future access of those users using browsers or web clients not supporting DHE or ECDHE: Internet Explorer 6, Internet Explorer 8, YandexBot 3, or browsers manually forced NOT to use Perfect Forward Secrecy.

• the backend servers and other vital parts of the infrastructure were not and are not vulnerable, since they were NEVER running a vulnerable OpenSSL version

What we have already done:

• we replaced on every part of the infrastructure the vulnerable OpenSSL versions (if any) with non-vulnerable ones between 3 PM and 6 PM 08-Apr-14 CET+1
• we changed in advance all administrative accounts passwords (this was not strictly necessary, but it has been performed anyway)
• we updated the internal SSL certificates
• we reset connections of clients connected to VPN servers running OpenSSL vulnerable version and rebooted the server to make sure that no old dynamically linked SSL version was still used by OpenVPN
• we performed attacks against our servers, even with the help of independent attackers as peer review, to check that the vulnerability has been resolved

What we will additionally do:

• we're going to add the option to generate new user.key from the client side, with no more need of our manual intervention, just in case someone wishes to use our service for free with your account
• we will revoke the frontend web server SSL certificate and replace it with a new one (this will take some time according to the authority)

What YOU need to do:

• change your account password and your API key (if you used our API) and do it as soon as possible especially if you use Internet Explorer 6, Internet Explorer 8 or YandexBot 3 or any other browser that you specifically configured NOT to use TLS with DHE-ECDHE in any way to log in our web site
• change your user.key when this option will be available

Kind regards

 

"
How about operating systems?
Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:

• Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
• Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
• CentOS 6.5, OpenSSL 1.0.1e-15
• Fedora 18, OpenSSL 1.0.1e-4
• OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
• FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
• NetBSD 5.0.2 (OpenSSL 1.0.1e)
• OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:

• Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
• SUSE Linux Enterprise Server
• FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
• FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
• FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)"
• http://heartbleed.com/

 

Enter the hostname of a server to test it for CVE-2014-0160.



Go!


www.avast.com IS VULNERABLE.

 

Patching The Heartbleed OpenSSL Vulnerability | Sucuri Blog

 

Enter the hostname of a server to test it for CVE-2014-0160.



Go!


All good, www.roboscan.com seems not affected!