OpenSSL vulnerability zero-day exploit alert!

Status
Not open for further replies.
Joined
Dec 19, 2004
Messages
7,428
Location
beaver land EH?
Ref:http://threatpost.com/seriousness-of-openssl-heartbleed-bug-sets-in/105309

Ref:CERT Vulnerability Note VU#72051

Since over 1/3 of the servers globally runs on SSL (with TLS1.2), this vulnerability is for real!

For sysadmin: please go seek out patches and patch against your SSL and reboot.

Q.
 
Originally Posted By: Quest
For sysadmin: please go seek out patches and patch against your SSL and reboot.


The source code for the exploit is here, to ensure that you are properly patched: https://gist.github.com/takeshixx/10107280

All of this scrambling to patch OpenSSL binaries reminds me of a few years ago when a Debian package maintainer buggered up their compilation of OpenSSL and everyone running Debian and Debian-derivative servers had to patch ASAP.
 
Thanks for the heads up, doing my RHEL boxes now. Weird that I haven't even gotten an e-mail (always get e-mails about updates like this) yet but the patch is already available from them
21.gif
 
Originally Posted By: OVERKILL
Thanks for the heads up, doing my RHEL boxes now. Weird that I haven't even gotten an e-mail (always get e-mails about updates like this) yet but the patch is already available from them
21.gif



http://heartbleed.com/

Not all distros are vulnerable; although that URL above does mention that both CentOS 6.5 and Fedora 18 possibly shipped with a vulnerable version.
 
You can only assume plenty of people were exploiting this. Too many able counties and too many geeks out there to miss it entirely.
 
I notices that a lot of high profile websites using htts show exclamation mark next to address and this info when one hovers over the sign:
Quote:
This website does not supply ownership information


This is with Firefox 28. Google used to have it (not anymore) and I noticed Ebay has it right now. Does it mean those websites are/were exploited by the bug?

Edit: I think I found my answer here: https://support.mozilla.org/en-US/questions/983078
 
Last edited:
There is a truly anonymous browser based on FireFox if you want to use it. Somewhat of a hassles but for sure they cannot track you. The Onion Router.


And I've started to use LastPass. This is great it keeps your passwords online in a vault, accessible from any device and will generate secure and unique passwords for all sites.
 
They missed this OpenSSL vulnerability for over two years. A German programmer made the mistake in December of 2011. Where were all the volunteers who supposedly check Open Source software?

The bad guys may have been using this vulnerability for over two years. The bad guys seem to be more motivated than the good guys. A claim was made that the NSA has been using this vulnerability for over two years. They denied it but you know what we can do with anything said by the NSA.

Supposedly some 500,000 servers could be affected by this and some 10,000 of the most popular websites on the internet. Better change your passwords!

Microsoft was completely unaffected. They don't use OpenSSL. Amazon.com was unaffected. Google, Gmail, Yahoo, and Yahoo Mail were affected.
 
Originally Posted By: Mystic
Where were all the volunteers who supposedly check Open Source software?


They were busy being imperfect, Mystic, like the rest of us. ;^)

If you really want to frighten yourself thinking about open source software, Google the Debian SSL fiasco from a few years ago.

If you really, really want to frighten yourself, research closed-source software!
 
I so glad I waited 7 or 8 years so Mystic could finally use the comment he's been waiting so long to dispense.

Of course this issue

http://en.wikipedia.org/wiki/NSAKEY

has never been completely explained by anyone and "I guess we will never know" since the code is proprietary; on a side note:

Quote:

"There is good news among the bad, however. It turns out that there is a flaw in the way the "crypto_verify" function is implemented. Because of the way the crypto verification occurs, users can easily eliminate or replace the NSA key from the operating system without modifying any of Microsoft's original components. Since the NSA key is easily replaced, it means that non-US companies are free to install "strong" crypto services into Windows, without Microsoft's or the NSA's approval.

Impossible since M$ has thousands of "professionals' coding.

With current revelations, I"m putting my eggs in the OSS basket.
 
Last edited:
Originally Posted By: Mystic
They missed this OpenSSL vulnerability for over two years. A German programmer made the mistake in December of 2011. Where were all the volunteers who supposedly check Open Source software?


It was the "good guys" who found it and alerted the Open SSL creators.

Originally Posted By: Mystic
The bad guys may have been using this vulnerability for over two years. The bad guys seem to be more motivated than the good guys. A claim was made that the NSA has been using this vulnerability for over two years. They denied it but you know what we can do with anything said by the NSA.


I guess you'll believe anything you read? That article by Bloomberg is totally unsubstantiated and offers zero proof.

Originally Posted By: Mystic
Supposedly some 500,000 servers could be affected by this and some 10,000 of the most popular websites on the internet. Better change your passwords!


Meh, you can if you want. I'm not. Not the least bit worried.
 
Originally Posted By: bubbajoe_2112
Originally Posted By: Mystic
Supposedly some 500,000 servers could be affected by this and some 10,000 of the most popular websites on the internet. Better change your passwords!


Meh, you can if you want. I'm not. Not the least bit worried.


This is my attitude as well. Those exploiting this thing were only able to get random snippets of data *from the server's RAM* so it is hardly anything that lent itself to deliberate, systemic exploitation.
 
I did a lot of research uc50ic4more. Microsoft as far as anybody can determine was completely unaffected by this OpenSSL vulnerability. Remember, Microsoft is the one with the evil closed-source software. Luckily Amazon.com (the website anyway) was not affected. But some 10,000 of the most popular websites on the internet were affected. Approximately two thirds of all servers (Linux) were potentially affected. It was apparently some Google researchers who found this programming error over TWO YEARS after a German programmer made the mistake.

We have been told repeatedly here by the Open Source and Linux fans that Open Source software is much safer than closed source software because Open Source software code can be examined by anybody. And supposedly there are all of these diligent volunteers always checking the source code for any mistakes. Well, if those diligent volunteers are not going to check the software it would be better if the software was closed software. Because you can bet that the bad guys were motivated to check the software for any holes. The bad guys may have been aware of all of this for over two years. A claim was made that the NSA has been taking advantage of this for two years. The NSA denied it.

I know you might not like FOX News but I am going to tell you this anyway. A woman who is a security expert was interviewed by FOX News. She said that if you rate a security issue from one to ten, with ten being the most severe, she would rate this OpenSSL security issue an eleven. Her interview is available at the FOX News website right now.

We are not talking about some unimportant software. This OpenSSL is used to provide a secure connection to a website.

We can't afford sloppy software development today. Microsoft cleaned up its act some years ago. With the major security issue a little while back involving Apple software maybe people need to take a look there. And I already knew about the Debian SSL issue.
 
Status
Not open for further replies.
Back
Top