Jump to content
sunrat

Massive Security Bug In OpenSSL

Recommended Posts

This is big. Updated today in Debian Wheezy and hopefully all of the world's Linux servers will be updated asap.

 

Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet

 

I saw a t-shirt one time. “I’m a bomb disposal technician,” it read. “If you see me running, try to keep up.”

The same sort of idea can be applied to net security: when all the net security people you know are freaking out, it’s probably an okay time to worry.

  • Like 2

Share this post


Link to post
Share on other sites

holy cow, batman!

what is scary about the patch release is that, how many people will bother to apply it!

 

 

thx for the notification and article, sunrat!

Share this post


Link to post
Share on other sites

Isn't this the same one that was fixed or a new one?

Share this post


Link to post
Share on other sites

New one. Announced and emergency patch released by the OpenSSL team yesterday. Fixed in Debian today. It's all in the linked article which contains further links for more detail.

 

There was also a security update for OpenSSH four days ago. Unrelated, I think.

  • Like 1

Share this post


Link to post
Share on other sites

Let's leave both threads for now to ensure everyone gets the message, particularly since there is nothing people can do to protect themselves if vulnerable websites are visited until the administrators of those websites have upgraded their software. Then, change your password.

 

See The Heartbleed Bug, explained - Vox

  • Like 1

Share this post


Link to post
Share on other sites

Canada Revenue has temporarily shut down the country's netfiling system for income tax returns. They hope to have everything back to normal by the weekend. Canadian banks have confirmed that they are not affected.

Share this post


Link to post
Share on other sites

Also if you use LastPass: LastPass and the Heartbleed Bug:

 

With news breaking on Monday, April 7th that the Heartbleed bug causes a vulnerability in the OpenSSL cryptographic library, which is used by roughly two-thirds of all websites on the Internet, we want to update our community on how this bug may have impacted LastPass and clarify the actions we’re taking to protect our customers.

 

In summary, LastPass customers do not need to be concerned about their LastPass accounts. Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys.

 

More in the article.

Share this post


Link to post
Share on other sites

I intentionally started both, one in BATL because of the Debian security update and in Security for those who don't read BATL.

 

yes, around here, that is a good idea, as many in the batl section never leave it to read elsewhere & vice versa.

  • Like 1

Share this post


Link to post
Share on other sites

Yeah... it's really scary when you think of the number of Cisco (and non-Cisco) routers out there in the wild worldwide that utilize this software and... AND the fact that many don't even have active admins keeping a watch on them. Many routers are static. They sit in network closets of homes, businesses, schools, etc. for years without being accessed by an admin. They're only remembered when there's a problem. SCARY! :o

Share this post


Link to post
Share on other sites

A bad situation just got worse...

 

http://tools.cisco.c...0409-heartbleed

 

Sheesh! They should just give the names of the NON-vulnerable ones...that list is considerably smaller.

 

Linksys Routers (now owned by Belkin) are not vulnerable:

 

http://community.linksys.com/t5/Wireless-Routers/UPDATE-Heartbleed-OpenSSL-Vulnerability/td-p/807314

 

We are aware of the Heartbleed OpenSSL vulnerability, however after thorough testing of our product lines, we can confirm that our routers are not impacted. Linksys routers do use OpenSSL, however our product line uses another version that is not impacted by this vulnerability.

Share this post


Link to post
Share on other sites

Engadget confirms Heartbleed bug affects routers too:

 

http://www.engadget.com/2014/04/10/the-heartbleed-bug-is-affecting-routers-too/

 

And that ones like Linksys are not affected since they "don't use the affected versions of OpenSSL".

 

Also confirms that Cisco and Juniper Networks is working on patches. Obviously not out there yet though.

Share this post


Link to post
Share on other sites

Belkin routers also safe:

 

https://getsatisfaction.com/belkinrouters/topics/update_heartbleed_openssl_vulnerability-1aevo1

 

Some other Cisco products were also affected; Cisco IP phones, some versions of WebEX, some versions of Juniper Networks VPN, Cisco's AnyConnect Secure Mobility Client app for iOS, one type of Cisco software that runs Internet switches also affected according to this article at CNN Money:

 

http://money.cnn.com/2014/04/11/technology/security/heartbleed-gear/

 

That means for two years now, someone could have been able to tap your phone calls and voicemails at work, all your emails and entire sessions at your computer or iPhone. You also could have been compromised if you logged into work from home remotely. And you'll probably never know if you were hacked.

 

From the same article, they indicate that Netgear has not made any comment about their routers as yet.

 

Next time you need a new router, which one would you choose? I would choose the ones not affected first of course, but I would not trust the ones that are not speaking up to make people aware of the problems they have been dealing with for two years now.

 

DD-WRT router software is also vulnerable apparently and it has to be rebult, not just restarted:

 

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=890437&sid=91f2733c19ba7a64809a7e5b791fbfca

Share this post


Link to post
Share on other sites

Posted a blog posting about this here:

 

Heartbleed, OpenSSL and Perfect Forward Secrecy - FransComputerServices Blog

 

According to an article at Mashable where there is a Hit List posted in a table:

 

Some big names that you might be happy to hear were not affected according to the Mashable article, the following were NOT hit:

 

Apple, Microsoft, Amazon, eBay, PayPal, Target, Walmart, LinkedIn, Hulu, AOL email, Hotmail/MSN/Outlook.com emails and more.

 

Like earlier, the NOT hit ones are likely easier to name...

Share this post


Link to post
Share on other sites

An if you thought all the above was pretty shocking then read on,

 

http://www.theregister.co.uk/2014/04/11/heartbleed_health_checking_services_may_be_illegal/

 

 

Websites and tools that have sprung up to check whether servers are vulnerable to OpenSSL's mega-vulnerability Heartbleed have thrown up anomalies in computer crime law on both sides of the Atlantic.

 

Both the US Computer Fraud and Abuse Act and its UK equivalent the Computer Misuse Act make it an offence to test the security of third-party websites without permission.

 

 

 

 

Testing to see what version of OpenSSL a site is running, and whether it is also supports the vulnerable Heartbeat protocol, would be legal. But doing anything more active – without permission from website owners – would take security researchers onto the wrong side of the law.

 

You got to laugh :devil:

Share this post


Link to post
Share on other sites

DD-WRT router software is also vulnerable apparently and it has to be rebult, not just restarted:

 

http://www.dd-wrt.co...09a7e5b791fbfca

 

Well I just checked my ddwrt router and I have version 0.9.7m-6 installed. Since heartbleed affected version 1.0.1 through 1.01.f, ddwrt (mine) is not vulnerable.

root@Baphomet:~# ipkg-opt install openssl
Package openssl (0.9.7m-6) installed in root is up to date.

Share this post


Link to post
Share on other sites

Yes, and it also says,

 

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately

upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

 

1.0.2 will be fixed in 1.0.2-beta2.

 

So you are saying that even though your version is OLDER than 1.0.1 that yours is OK, even though it says should upgrade to 1.0.1g and that 1.0.2 will be fixed in 1.0.2-beta2?

Share this post


Link to post
Share on other sites

Hmm... makes me wonder about all the ISP provided routers out there, like my Verizon Westell, for instance.

 

Let's face it. The Internet is broken. We'll have to tear it all down and start again. This time it will only work with Linux operating systems, though. ;)

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...