Am 09. Apr, 2014 schwätzte James Dugger so:
moin moin James,
yup. If you're using a version with the bug, you need to upgrade now and
immediately generate new keys.
https://www.mattslifebytes.com/?p=533
If you're still running it at this point, then you should also notify
anyone who has logged in via your service in the last couple days.
For those of us who use secure sites, we should verify the site has been
updated, then immediately change our password. If the site has security
questions, then those should be changed as well. If you're not already
using something like KeePassX, then now is a good time to start.
Find out if a site is vulnerable:
https://www.ssllabs.com/ssltest/
Detect on your own:
https://github.com/decal/ssltest-stls/blob/master/ssltest-stls.py
ciao,
der.hans
This is serious. While IDS/IPS may be programmed to "detect" it at this
point it is too late because the hacker has already obtained the keys to
the kingdom. Just had a security code development seminar today with
contracted pen-testers and this was a very hot topic. If Heartbeat is
enabled on your server and a hacker attempts a TSL handshake with something
other than a zero value after the initial "hello" than the server will send
the contents of the last cached memory back to the hacker. If this is a
web server running Apache, Apache will gladly package the contents of it's
cache back to the server including SESSION cookies and SSL encryption keys
still in memory.
The pen-testers we spoke with today said that they know of a hacker site
that went up 5 hours after the notice and started exploiting web servers.
They have tested this on there systems and have been able to pull SSL
keys, SESSION cookies, they had everything need to open the SESSION
contents where they had usernames and passwords.
My understanding is that unless IDS/IPS has been programmed to compare the
incoming and outgoing handshake, there will be no log information from the
server of the event. So in other words you may not know if you have been
exploited or not. Worst case you have encryptions keys and and users
SESSION contents out in the wild, and you find out when customer's banks
fraud departments start calling.
On Tue, Apr 8, 2014 at 10:00 AM, jill <[email protected]> wrote:
Patches have been released overnight for:
CentOS 6.x:
http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
RHEL 6.x: https://access.redhat.com/security/cve/CVE-2014-0160
<https://access.redhat.com/security/cve/CVE-2014-0160>
https://rhn.redhat.com/errata/RHSA-2014-0376.html
Debian 7/Wheezy, 6/Squeeze via the security repo (make sure you have
http://security.debian.org/ enabled):
https://security-tracker.debian.org/tracker/CVE-2014-0160
Ubuntu 12.04, 12.10, 13.04: http://www.ubuntu.com/usn/usn-2165-1/
apt-get update / yum upgrade should do it.
Patch, patch, patch your servers, gently down the tubes... merrily, merrily,
merrily, merrily, re-issue your certs.
Jill
On 2014-04-07 20:56, der.hans wrote:
Based on the following page:
OpenSSL heartbeat is enabled even if you're not using it unless you
disabled it at compile time.
The vulnerability has been in place for two years ( version 1.0.1 up until
1.0.1g that was just released ).
It can be exploited to reveal your private key without leaving a trace.
IDS can probably be configured to detect the attack.
http://heartbleed.com/
ciao,
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
--
# http://www.LuftHans.com/ http://www.LuftHans.com/Classes/
# When I work, I work hard. When I play, I play hard.
# When I sit, I sleep. - Embe Kugler
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
