I am not fan of NSA, but suspect they
exploited code execution much more than
just reading.
>From the openssl-1 Changelog, these
appear more severe than HB to me.
(some of these certainly affect 0.9 branch).
*) Make openssl verify return errors.
[Chris Palmer <[email protected]> and Ben Laurie]
*) Sanity check record length before skipping explicit IV in TLS
1.2, 1.1 and DTLS to fix DoS attack.
*) Initialise tkeylen properly when encrypting CMS messages.
Thanks to Solar Designer of Openwall for reporting this issue.
*) Check for potentially exploitable overflows in asn1_d2i_read_bio
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean.
On Mon, Apr 14, 2014 at 12:46:03AM -0700, jim bell wrote:
> White House, spy agencies deny NSA exploited 'Heartbleed' bugÂ
> photoSecurity experts warn there is little Internet users can do to protect
> themselve\WASHINGTON (Reuters) - The White House and U.S. intelligence
> agencies said on Friday neither the National Security Agency nor any other
> part of the government were aware before this month of the "Heartbleed" bug,
> denying a report that the spy agency exploited the glitch in widely used Web
> encryption technology to gather intelligence.
> The White House, the NSA and the Office of the Director of National
> Intelligence issued statements after Bloomberg reported that the NSA was
> aware of the bug for at least two years and exploited it in order to obtain
> passwords and other basic information used in hacking operations. The
> Bloomberg report cited two unnamed sources it said were familiar with the
> matter.
> The Heartbleed bug is considered one of the most serious Internet security
> flaws to be uncovered in recent years.
> "Reports that NSA or any other part of the government were aware of the
> so-called Heartbleed vulnerability before April 2014 are wrong," White House
> National Security Council spokeswoman Caitlin Hayden said in a statement.
> "This administration takes seriously its responsibility to help maintain an
> open, interoperable, secure and reliable Internet," Hayden added.
> Bloomberg was not immediately available to comment.
> The discovery of Heartbleed by researchers with Google Inc and a small
> security firm, Codenomicon, prompted the U.S. Homeland Security Department to
> advise businesses on Tuesday to review their servers to see if they were
> using vulnerable versions of widely used software known as OpenSSL.
> OpenSSL is used to encrypt email and other communications and to protect the
> websites of big Internet companies, including Facebook Inc, Google Inc and
> Yahoo Inc. The bug, disclosed Monday, allows hackers to steal data without a
> trace.
> NSA spokeswoman Vanee Vines said in a separate statement: "NSA was not aware
> of the recently identified vulnerability in OpenSSL, the so-called Heartbleed
> vulnerability, until it was made public in a private-sector cybersecurity
> report."
> Hayden said the federal government relies on OpenSSL to protect the privacy
> of users of government websites and other online services. "If the federal
> government, including the intelligence community, had discovered this
> vulnerability prior to last week, it would have been disclosed to the
> community responsible for OpenSSL," Hayden added.
> Hayden said that when U.S. agencies discover a new vulnerability in
> commercial and open-source software, "it is in the national interest to
> responsibly disclose the vulnerability rather than to hold it for an
> investigative or intelligence purpose." Such vulnerabilities are known as
> "zero-day" flaws because the software developers have had zero days to fix
> them.
> In December, a five-member advisory panel convened to review electronic
> surveillance policy urged the White House to sharply curtail the use of
> undisclosed flaws and stop undercutting encryption standards. The panel
> included former White House cybersecurity advisor Richard Clarke.
> In late February, a senior White House official said the Obama administration
> was intensively studying both issues.
> The administration statements issued on Friday confirmed that the review had
> already "reinvigorated an interagency process for deciding when to share
> vulnerabilities" on a case-by-case basis.
> The activities of the NSA have come under sharp scrutiny since former agency
> contractor Edward Snowden leaked numerous documents exposing expansive U.S.
> surveillance efforts.
> Even before Snowden's emergence, former officials, including Clarke, told
> Reuters that offensive and spying considerations had dominated inside the
> NSA, causing it to withhold information instead of warning the public about
> new flaws.
> Clarke told Reuters Friday that the NSA had not known of Heartbleed.
> The U.S. government warned banks and other businesses on Friday to be on
> alert for hackers seeking to steal data exposed by the bug, as a German
> programmer who volunteered with OpenSSL took responsibility for inadvertently
> launching the security crisis.
> (Additional reporting by Joseph Menn; Editing by Jonathan Oatis)
