OpenSSL versions 1.0.1 and 1.0.2-beta Vulnerability

snips86x

snips86x

snips86x

Soldato
Joined
14 Nov 2012
Posts
17,971
Location
Chesterfield
Got this email this morning, means nothing to me, but do any of you need to be aware?

As you may be aware a vulnerability has been identified in OpenSSL versions 1.0.1 and 1.0.2-beta. This has the potential to allow attackers to gain access to users' passwords and fool people into using false versions of Web sites. The vulnerability was made public on Monday evening before most vendors had a chance to issue a bug fix.

Since OpenSSL is the default secure-socket layer/Transport Layer Security (SSL/TLS) for the Apache and NGINX Web servers, some estimates claim that as many as two-thirds of all "secured" Web sites are vulnerable to Heartbleed.

Heartbleed can reveal the contents of a server's memory, where sensitive data is stored. That includes private data such as usernames, passwords, and credit card numbers. It also means an attacker can get copies of a server's digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too. There is no record of an attack.

OpenSSL is used in other places that you may not be aware of, for example VMware ESXi v5.5 has been seen to be vulnerable. So please test any server that has secure access over SSL, starting with publicly accessible servers first then working in to the network in to non-publicly accessible servers.

Checkpoint firewalls are not vulnerable.

More information is available here:
http://heartbleed.com/


Patches
Companies are now delivering the OpenSSL patches to their clients. So far, the fixed Linux operating systems include:
CentOS https://rhn.redhat.com/errata/RHSA-2014-0376.html
Debian http://www.debian.org/security/2014/dsa-2896
Fedora https://lists.fedoraproject.org/pipermail/announce/2014-April/003205.html
Red Hat https://access.redhat.com/site/announcements/781953
openSUSE http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html
Ubuntu http://www.ubuntu.com/usn/usn-2165-1/
SUSE Linux Enterprise Server (SLES) was not affected.
Click to expand...
 
Been looking at this since yesterday. If your have been running a vulnerable version of OpenSSL then you need to do the following:

  1. Upgrade OpenSSL
  2. Revoke ALL SSL certificates
  3. Regen all SSL priv keys
  4. Get new certs from SSL vendor

I've been lucky the project I'm working on had its go live date pushed to May so I've got time to get this fixed before the service is available. Would have been a much busier Tuesday otherwise!
 
What has been the personal/workplace fall out for you guys over this? We took OpenSSL offline straight away and are only looking at reintroducing it now.
 
I wondered this as well, I would have imagined that anyone that would have acted on this hole would have accessed accounts with it.

If I was to change every password I have for an online account or service I would be at it all night trying to remember what ones I have an account for and trying to work out new passwords that are as secure as possible.
 
Judgeneo said:
What has been the personal/workplace fall out for you guys over this? We took OpenSSL offline straight away and are only looking at reintroducing it now.
Click to expand...

We were really slow at upgrading so were running versions old enough to not be affected anyway. One OpenVPN appliance needed patching and that was about it.
 
andicole0 said:
On a personal access note, is changing any of my passwords going to make any difference at this time?

Andi.
Click to expand...

You should change all passwords. A password should only be changed after a website has patched openssl.

You can use ssllabs.com to check if a site is still vulnerable.
 
You must log in or register to reply here.
Back
Top Bottom