Heartbleed: very serious flaw in Open SSL

R

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
Anyone running web servers should probably read this, and patch:

http://heartbleed.com/

Oddly I used the tool to test my server and it says it's ok. Anyone know more details about this bug, do I need to redo all my certs, will this affect VPN servers as well, like OpenVPN? What about SSH?
 
If the application in question uses OpenSSL 1.0.1 through 1.0.1f during the handshake you're vulnerable and need to upgrade the version of OpenSSL and change out your certs. This can include VPN software and SSH depending on how they're configured.

Also, which tool did you use to test, I've found that there are problems with some tools returning back false negatives.
 
i had my stuff patched by tuesday night, i was suprised to hear most admins hadn't heard about it until wednesday morning...

you're at least a day late now, my man...
 
If you are using pfsense with OpenVPN you are vulnerable if your VPN does not have the "TLS Authentication" for packets.

They are currently recompiling a new complete version. The package cant just be updated. They should be releasing v2.1.2 today with the updated package of OpenSSL.
 
goodcooper said:
i had my stuff patched by tuesday night, i was suprised to hear most admins hadn't heard about it until wednesday morning...

you're at least a day late now, my man...
Click to expand...

Which wont matter because if they were being exploited this bug has been our since March 2012.
 
MrGuvernment said:
Which wont matter because if they were being exploited this bug has been our since March 2012.
Click to expand...

when you say "they" you mean the NSA, don't you?

yea....

i doubt this was on the radar of most hackers though until tuesday night...
 
meh, does it really matter??

hackers want your stuff they will get it either way
 
also this brings up an interesting point, if all these companies used openssl who is liable?

for once I feel ok about running IIS lol!
 
goodcooper said:
when you say "they" you mean the NSA, don't you?

yea....

i doubt this was on the radar of most hackers though until tuesday night...
Click to expand...

Sure every Intel agency around the world from NSA to Russia to China and everyone in between on the darknet.
 
FLECOM said:
also this brings up an interesting point, if all these companies used openssl who is liable?

for once I feel ok about running IIS lol!
Click to expand...

IIS user here! Not because I think its any better but because I'm a complete noob at web hosting at work and if it werent for the MS Web Platform Installer I wouldnt be able to do any of it.
 
FLECOM said:
also this brings up an interesting point, if all these companies used openssl who is liable?

for once I feel ok about running IIS lol!
Click to expand...

Actually this one is quite surprising, that a bug in something open source took this long to be discovered.

But with something closed source, the back door, I mean bug, would probably never be discovered at all. :D

Now the OpenSSL team has to figure out which dev actually works for the NSA. :D
 
Red Squirrel said:
Actually this one is quite surprising, that a bug in something open source took this long to be discovered.

But with something closed source, the back door, I mean bug, would probably never be discovered at all. :D

Now the OpenSSL team has to figure out which dev actually works for the NSA. :D
Click to expand...

We joke about this, but lets be honest.... I wouldnt be the slightest bit surprised if tomorrow there is another Snowden document that outlines how this all went down.
 
jadams said:
If you are using pfsense with OpenVPN you are vulnerable if your VPN does not have the "TLS Authentication" for packets.

They are currently recompiling a new complete version. The package cant just be updated. They should be releasing v2.1.2 today with the updated package of OpenSSL.
Click to expand...

I never even considered openvpn. crap. Guess I know what I'll be doing tomorrow.
 
dave99 said:
I never even considered openvpn. crap. Guess I know what I'll be doing tomorrow.
Click to expand...

Just did my AS server. Wget the new package and a simple dpkg -i and off we go.

Just redoing the certificate now.
 
What about stand alone VPN on a server that is behind a firewall? On my VPN server openssl shows version OpenSSL 1.0.1e-fips 11 Feb 2013. That falls within the vulnerable range right? Did a full yum update of the whole system but unfortunately they did not update the repo yet I guess. I don't really want to mess with compiling from source when it's already installed via yum.

Going to be a pain in the ass having to redo all the certs again, but definitely can't mess around with this. I turned off openvpn for now. What sucks though is any packet sniff data from previous sessions can now be decrypted quite easily.

Though, if there is no HTTPS accessible on that machine, could it even be exploited?
 
Just did more reading, luckily most of my pfsense openvpn is peer to peer with a PSK, so not vulnerable. There are some mobile users configs, but most of those clients still use 2.0.3, which works out well since they use the older non-bugged version. Updated the couple of vulnerable servers with TLS auth, which should help until a new image is built.
 
dave99 said:
. Updated the couple of vulnerable servers with TLS auth, which should help until a new image is built.
Click to expand...

This is what I did. The new image should be out tonight. Its a workaround, but a secure one. I dont have time to deploy a new core firewall/router. It was easier for me to simply replace the 15 or so profiles to the remote agents this morning.
 
For those with OpenVPN on pfsense:

https://forum.pfsense.org/index.php?topic=74796.75

The devs have been pretty active, though I must admit they didnt become active until their gold subs starting bitching was a little disconcerting. All we wanted was an acknowledgement that something was being worked and it took them (in my opinion) too long to even address it.
 
FLECOM said:
meh, does it really matter??

hackers want your stuff they will get it either way
Click to expand...

I would recommend that you seriously contemplate the meaning of the phrase 'low hanging fruit'.
 
ANYTHING that uses OpenSSL is affected, IIS with openssl modules... OpenVPN applicatiopn (new version already out)

Sure if you have your systems locked down, IP filters what ever, you may be fine, but why not just update and be done with it.


Version 1.0.1e and less than 1.0.1e-16.el6_5.4.0.1 then you are currently vulnerable to this problem.

Version 1.0.1e-16.el6_5.4.0.1.centos then you have the temporary version issued before Redhat issued their official fix.

Version 1.0.1e-16.el6_5.7 or higher then you have the official fixed version.
 
jadams said:
I wonder if he leaves the doors to his house unlocked when he goes away?
Click to expand...

har har totally same thing :rolleyes:

even if I lock the door people can get into my house, throw a rock through the window, attach the door to the back of a truck with a chain, drive a tank through the side of the house, whatever... which was my point... no matter what you do "security" is an illusion
 
meh, don't believe anything from RT... just a Kremlin rag
 
You must log in or register to reply here.
Back
Top