Busy time for OpenSSL users

Ugh. I was expecting a few 0days today (Windows XP death day), but not this....
 
Thanks for posting this, I've been checking all of our stuff for the last four hours. That http://filippo.io/Heartbleed/ site has a command line utility for checking internal servers as well which turned out to be pretty handy. I ran a nmap of the networks I was interested in, filtering for only hosts with 443 open, then used the command line utility on that site to check the list of hosts that were listening.

All of our stuff was good, with the exception of one internal host running McAfee Epolicy Orchestrator.

Also, my Synology NAS at home was vulnerable and exposed to the internet, just a heads up for anyone running services at home that they haven't thought of. I've just closed the port for now until there is a patch available.
 
done and done!

yum update for 3 centos boxes, another box is using 0.9 which is not affected

pfsense system has ip restriction for SSL ports anyways so not affect but will update pfsense.

This also affects Routers, OpenVPN has a new version out as well.

This will be A LOT of work for some people in I.T

Also don't think only port 443, any service that uses SSL with OpenSSL, even IIS which by default uses MS SSL system but can have install openSSL modules.
 
I checked my personal site and its fine. Have to check some public facing load balanced sites and I'm not looking forward to that.
 
I love that Centos has an interim package out but my Redhat boxes don't have an update available yet.
 
Redhat does have their update pushed out but there was no atual "g" version apparently.

Version 1.0.1e and less than 1.0.1e-16.el6_5.4.0.1 then you are currently vulnerable to this problem.
Version 1.0.1e-16.el6_5.4.0.1.centos then you have the temporary version issued before Redhat issued their official fix.
Version 1.0.1e-16.el6_5.7 or higher then you have the official fixed version.
 
Our rock solid Ubuntu 10.04 was not effected because it had an earlier version of openssl.
 
MrGuvernment said:
done and done!

yum update for 3 centos boxes, another box is using 0.9 which is not affected

pfsense system has ip restriction for SSL ports anyways so not affect but will update pfsense.

This also affects Routers, OpenVPN has a new version out as well.

This will be A LOT of work for some people in I.T

Also don't think only port 443, any service that uses SSL with OpenSSL, even IIS which by default uses MS SSL system but can have install openSSL modules.
Click to expand...

I mentioned this the other thread, but if you happen to be using OpenVPN on pfsense you'll need to update to the newest build v.2.1.3 which they should have released yesterday specifically for this.

Alternatively you can enable "TLS Authentication" of packets in the OpenVPN server settings instance if it isnt already. You will need to redeploy configs for users to connect.

We're a small shop so I decided to redeploy rather than mess w/ a router upgrade at this time.
 
crazy shit. two years this has been an issue. just updated 5 centos 6.5 boxes. be sure to restart your services!
 
jadams said:
Alternatively you can enable "TLS Authentication" of packets in the OpenVPN server settings instance if it isnt already. You will need to redeploy configs for users to connect.
Click to expand...

TLS auth should always be enabled in the first place.

But even then, if you aren't using OpenVPN just for yourself and have other users, TLS auth won't save you since your users must obviously have that key.
 
Unfortunately, I don't know much about networking. I read an article today that said this thing is now infecting people's routers. Is there a way to check my router?
 
Khaos Kid said:
Unfortunately, I don't know much about networking. I read an article today that said this thing is now infecting people's routers. Is there a way to check my router?
Click to expand...

It is not a virus and it doesn't infect routers.

However if your router has a version of OpenSSL that is listed as being affected then it will be vulnerable to the attack. Your best best is to check with the manufacturer to see if there is an updated firmware and/or disable https access on the router and/or disabling remote admin access to the router.

Here is a link with some affected routers and devices.
http://www.engadget.com/2014/04/10/the-heartbleed-bug-is-affecting-routers-too/
 
Last edited:
Actually how is this attacked exactly, they don't mention that part very clearly. Ex: what port/service is the attacker connecting on, or what is the attacker doing exactly, that causes it to reveal 64k of memory?

Ex: If I have a server that uses a vulnerable version of OpenSSL but there's no HTTPS and only OpenVPN on a non standard UDP port, is it still directly at risk and do I still need to redo the certs? Right now that's my only machine that has a bad version but my distro does not have a yum update for it. I really don't want to have to do it from source as that will probably just install another package side by side and screw things up.

I turned off OpenVPN for now to be safe though.
 
Red Squirrel said:
Actually how is this attacked exactly, they don't mention that part very clearly. Ex: what port/service is the attacker connecting on, or what is the attacker doing exactly, that causes it to reveal 64k of memory?

Ex: If I have a server that uses a vulnerable version of OpenSSL but there's no HTTPS and only OpenVPN on a non standard UDP port, is it still directly at risk and do I still need to redo the certs? Right now that's my only machine that has a bad version but my distro does not have a yum update for it. I really don't want to have to do it from source as that will probably just install another package side by side and screw things up.

I turned off OpenVPN for now to be safe though.
Click to expand...

Here is a very detailed link on the attack:
http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html

It would be advisable to patch to a non affected version of OpenSSL and redo the certs. You never know someone may have been targeting you or your server waiting for something like this to come along. The worst part of all is the logs won't show anything out of the ordinary unless you are running Snort or Bro.

Which OS/version? If it is CentOS then you need to run 'yum clean metadata' then 'yum update' to get the latest patched version until RedHat releases the upstream update. It should be version 'openssl-1.0.1e-16.el6_5.7.x86_64' (rpm -q openssl)
 
Hmmm so is this version safe then? I figured 1.0.1e was within the range of affected versions

Code: 
[root@vpnsrv ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@vpnsrv ~]# rpm -q openssl
openssl-1.0.1e-16.el6_5.7.x86_64
[root@vpnsrv ~]#

It should be to 1.0.1g though right?
 
Fun times. Fortunately we terminate the majority of our SSL traffic on our load balancers which were unaffected. I only had two externally available sites I had to patch out of a shitton of IPs. That mitigated the most important part, now to update all the hundreds of *nix vms and templates internally over the next few weeks.
 
You must log in or register to reply here.
Back
Top