[Wolves] Fwd: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability

Chris Ellis chris at intrbiz.com
Tue Apr 8 18:23:40 UTC 2014 

On Tue, Apr 8, 2014 at 6:43 PM, Richard Barker <
richard.barker at quietwatercourse.co.uk> wrote:

> On 08/04/14 18:13, Mark Croft wrote:
>
>> just reading this from devon linux user group , sounds serious ,
>> bugs/flaw/hole in cryptographic software library
>>
>> "Researchers have discovered an extremely critical defect in the
>> cryptographic software library an estimated two-thirds of Web servers
>> use to identify themselves to end users and prevent the eavesdropping
>> of passwords, banking credentials, and other sensitive data."
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: Martijn Grooten <martijn at lapsedordinary.net>
>> Date: 8 April 2014 09:10
>> Subject: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
>> To: list at dcglug.org.uk
>>
>>
>> Things rarely get more serious than this:
>>
>> http://arstechnica.com/security/2014/04/critical-
>> crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/
>> http://heartbleed.com/
>>
>> Martijn.
>>
>>  I saw this earlier, it's very worrying but it seems to have been patched
> commendably quickly. Those of us who make use of OpenVPN might find the
> information at this link of interest.  It seems that the OpenVPN team do
> need to issue a patch seperately.
>
> https://forums.openvpn.net/topic15519.html
>
> Rich.


It's a pretty serious bug, as it allows the attacker to reveal upto 64KiB
of  private memory, this could potentially include the SSL private keys!
The bug does only affect OpenSSL version 1.0.1 (and 1.0.2) but it affects
anything using OpenSSL, eg: Apache HTTPD, OpenVPN, etc.

There is also no way to tell if you have been exploited and what
information the attacker may have got.  There are examples on the internet
revealing Yahoo usernames and passwords, so I would avoid using Yahoo for
the moment.

Advisory here: https://www.openssl.org/news/secadv_20140407.txt

Information on the bug is here: http://heartbleed.com/

A checker is: http://filippo.io/Heartbleed/

Ivan has also updated SSL Labs to test for the vulnerability:
https://www.ssllabs.com/

Certainly openSUSE and Debian seem to have pushed updates as of this
morning and I suspect other distros have, or will be pushing updates
shortly.

It is essentially that people apply these patches immediately and you
should also consider revoking your SSL keys and reissuing.  If your a high
value site, then it might be prudent to revoke your SSL keys.

It's also worth not forgetting about any devices / appliances which may be
running OpenSSL, SSL offload boxes etc.

Regards,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/wolves/attachments/20140408/0828f02b/attachment-0001.html>

More information about the Wolves mailing list