Heartbleed: Serious OpenSSL zero day vulnerability revealed

Discussion in 'privacy technology' started by ronjor, Apr 7, 2014.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,734
    Location:
    Texas
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Thanks, this is a rather important one.:eek:
     
  3. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet | TechCrunch

    Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping | Ars Technica
     
    Last edited: Apr 7, 2014
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    http://heartbleed.com/

     
  5. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    276
    Location:
    SE Asia
    Yeah, I also read this, and a lot of the Banks I use here in Asia are vulnerable (3 out of 4)

    to test if your site is vulnerable check here -hxxp://filippo.io/Heartbleed-

    or if you don't trust a site here is the script

    -hxxp://s3.jspenguin.org/ssltest.py-

    Some more background info here: -hxxps://medium.com/p/715b2260813d-
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    This vulnerability has existed for quite some time:
    "Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug."
     
  7. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    276
    Location:
    SE Asia
    ^ Yeah ridiculous :thumbd:

    Also please note:

    The updating of OpenSSL and a Reboot of the server ISN'T ENOUGH !!!

    You also need to get a new certificate and you have to revoke the old one !!
     
  8. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    So glad this happened before 14.04 LTS released.
     
  9. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,096
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I find it unlikely to be "two thirds of the web". That would assume two thirds has even bothered updating to the OpenSSL 1.0.1 series and that's unlikely considering the snail pace of the server update world. The older versions are not affected.
     
  11. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    276
    Location:
    SE Asia
    Wow

    -hxxps://twitter.com/WarrenGuy/status/453510021930680320/photo/1-
     
    Last edited: Apr 8, 2014
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  13. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    ‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys — Krebs on Security
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From the link in post #13:
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Advice from LastPass (post #12) that applies to everyone:
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From http://www.theguardian.com/technolo...-at-risk-for-hundreds-of-thousands-of-servers (bolding by me):
     
  17. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Last edited: Apr 8, 2014
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  19. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,096
    Last edited: Apr 9, 2014
  20. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
  21. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    AirVpn official response:

    I wanted to paste their Staff response to the current discovered weakness. In my opinion their response is amazing, as always. Air is one of the three providers I will never leave!

    Paste:
    After a deeper analysis we would like to inform you about problems, solutions, what we did and what you need to do, in compliance with our transparency policy. The OpenSSL 1.0.1a-->f vulnerability is huge, but several factors in our infrastructure design made the menace a minor threat, without any potentially catastrophic consequence.

    • some of our OpenVPN servers used a vulnerable OpenSSL version. They have been all updated and upgraded between 3 PM and 6 PM 08-Apr-14 CET+1. The non-updated VPN servers running branches of OpenSSL like 0.9.8 were not and are not vulnerable. Assuming that an attacker could steal your user.key during the handshake on those servers, the worst damage is that he/she will connect with your account in the future (see below for a solution to this problem). He/she will not be able to decrypt your OpenVPN Data Channel. Various factors help mitigate the problem even on those vulnerable VPN servers: the attacker could not perform an attack through the exit-IP address (he/she should have known the entry-IP) and Perfect Forward Secrecy does not allow the attacker to decrypt your data

    • the primary frontend (the web site you normally visit) used a vulnerable OpenSSL version which has been upgraded at 3 PM 08-Apr-14 to a non-vulnerable version. All sessions were reset. The vulnerability allowed an attacker to dump a memory portion of the server which could disclose information useful to exploit future access of those users using browsers or web clients not supporting DHE or ECDHE: Internet Explorer 6, Internet Explorer 8, YandexBot 3, or browsers manually forced NOT to use Perfect Forward Secrecy.

    • the backend servers and other vital parts of the infrastructure were not and are not vulnerable, since they were NEVER running a vulnerable OpenSSL version

    What we have already done:

    • we replaced on every part of the infrastructure the vulnerable OpenSSL versions (if any) with non-vulnerable ones between 3 PM and 6 PM 08-Apr-14 CET+1
    • we changed in advance all administrative accounts passwords (this was not strictly necessary, but it has been performed anyway)
    • we updated the internal SSL certificates
    • we reset connections of clients connected to VPN servers running OpenSSL vulnerable version and rebooted the server to make sure that no old dynamically linked SSL version was still used by OpenVPN
    • we performed attacks against our servers, even with the help of independent attackers as peer review, to check that the vulnerability has been resolved
    What we will additionally do:

    • we're going to add the option to generate new user.key from the client side, with no more need of our manual intervention, just in case someone wishes to use our service for free with your account
    • we will revoke the frontend web server SSL certificate and replace it with a new one (this will take some time according to the authority)
    What YOU need to do:

    • change your account password and your API key (if you used our API) and do it as soon as possible especially if you use Internet Explorer 6, Internet Explorer 8 or YandexBot 3 or any other browser that you specifically configured NOT to use TLS with DHE-ECDHE in any way to log in our web site
    • change your user.key when this option will be available
    Kind regards
     
    Last edited: Apr 8, 2014
  22. FreddyFreeloader

    FreddyFreeloader Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    527
    Location:
    Tejas
    "
    How about operating systems?
    Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:

    • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
    • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
    • CentOS 6.5, OpenSSL 1.0.1e-15
    • Fedora 18, OpenSSL 1.0.1e-4
    • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
    • FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
    • NetBSD 5.0.2 (OpenSSL 1.0.1e)
    • OpenSUSE 12.2 (OpenSSL 1.0.1c)
    Operating system distribution with versions that are not vulnerable:

    • Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
    • SUSE Linux Enterprise Server
    • FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
    • FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
    • FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)"
    • http://heartbleed.com/
     
  23. FreddyFreeloader

    FreddyFreeloader Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    527
    Location:
    Tejas
    Enter the hostname of a server to test it for CVE-2014-0160.



    Go!


    www.avast.com IS VULNERABLE.
     
  24. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    Patching The Heartbleed OpenSSL Vulnerability | Sucuri Blog
     
  25. FreddyFreeloader

    FreddyFreeloader Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    527
    Location:
    Tejas
    Enter the hostname of a server to test it for CVE-2014-0160.



    Go!


    All good, www.roboscan.com seems not affected!
     
Loading...