OpenSSL vulnerability

Bill · Apr 08, 2014, 12:15:09

Picked this up on another forum, doesn't really impact me much (I hope!) but I know others here run servers and may be interested:

2014

CVE-2014-0160: 7th April 2014
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1. Reported by Neel Mehta.
Fixed in OpenSSL 1.0.1g (Affected 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)

and

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

Updates have been rolled out, but one suggested action: "... revoking current keys and generating new ones might be a good idea."

Gary · Apr 09, 2014, 08:39:11

tested idnet and a bunch of sites which all seem safe, including idnet.com. Not sure about modems and routers though, seems its best to turn off remote management which is fine in my router, no idea about BT's modem though as that is remotely managed for firmware updates from btor or btw whoever manages software on that.

nowster · Apr 09, 2014, 09:21:06

Things that might be affected include any SSL/TLS web server (https), openvpn, tor, mail servers and any other service that encrypts a link using SSL or TLS. (ssh uses a different mechanism altogether.)

Gary · Apr 09, 2014, 09:25:57

Quote from: nowster on Apr 09, 2014, 09:21:06
Things that might be affected include any SSL/TLS web server (https), openvpn, tor, mail servers and any other service that encrypts a link using SSL or TLS. (ssh uses a different mechanism altogether.)

Theres a site that you can put links into to test, tbh im not wearing a tin foil hat over this as TOR suggest we dont use the internet till its sorted, where as most sites I use test fine already, not sure about the BTOR modem and my router though...although the latter had a firmware update yesterday. https://www.ssllabs.com/ssltest/ idnets mail servers seem ok

Gary · Apr 10, 2014, 11:43:50

IDnet shows ok https://www.ssllabs.com/ssltest/analyze.html?d=idnet.net

nowster · Apr 11, 2014, 16:12:32

Good explanation of how it works in today's XKCD comic: http://xkcd.com/1354/

OpenSSL vulnerability

Bill

Gary

nowster

Gary

Gary

nowster