Jump to content

Massive Security Bug In OpenSSL


sunrat

Recommended Posts

This is big. Updated today in Debian Wheezy and hopefully all of the world's Linux servers will be updated asap.

 

Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet

 

I saw a t-shirt one time. “I’m a bomb disposal technician,” it read. “If you see me running, try to keep up.”

The same sort of idea can be applied to net security: when all the net security people you know are freaking out, it’s probably an okay time to worry.

  • Like 1
Link to comment
Share on other sites

New one. Announced and emergency patch released by the OpenSSL team yesterday. Fixed in Debian today. It's all in the linked article which contains further links for more detail.

 

There was also a security update for OpenSSH four days ago. Unrelated, I think.

Link to comment
Share on other sites

Let's leave both threads for now to ensure everyone gets the message, particularly since there is nothing people can do to protect themselves if vulnerable websites are visited until the administrators of those websites have upgraded their software. Then, change your password.

 

See The Heartbleed Bug, explained - Vox

Link to comment
Share on other sites

Canada Revenue has temporarily shut down the country's netfiling system for income tax returns. They hope to have everything back to normal by the weekend. Canadian banks have confirmed that they are not affected.

Link to comment
Share on other sites

Guest LilBambi

Also if you use LastPass: LastPass and the Heartbleed Bug:

 

With news breaking on Monday, April 7th that the Heartbleed bug causes a vulnerability in the OpenSSL cryptographic library, which is used by roughly two-thirds of all websites on the Internet, we want to update our community on how this bug may have impacted LastPass and clarify the actions we’re taking to protect our customers.

 

In summary, LastPass customers do not need to be concerned about their LastPass accounts. Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys.

 

More in the article.

Link to comment
Share on other sites

V.T. Eric Layton

Yeah... it's really scary when you think of the number of Cisco (and non-Cisco) routers out there in the wild worldwide that utilize this software and... AND the fact that many don't even have active admins keeping a watch on them. Many routers are static. They sit in network closets of homes, businesses, schools, etc. for years without being accessed by an admin. They're only remembered when there's a problem. SCARY! :o

Link to comment
Share on other sites

Guest LilBambi

A bad situation just got worse...

 

http://tools.cisco.c...0409-heartbleed

 

Sheesh! They should just give the names of the NON-vulnerable ones...that list is considerably smaller.

 

Linksys Routers (now owned by Belkin) are not vulnerable:

 

http://community.linksys.com/t5/Wireless-Routers/UPDATE-Heartbleed-OpenSSL-Vulnerability/td-p/807314

 

We are aware of the Heartbleed OpenSSL vulnerability, however after thorough testing of our product lines, we can confirm that our routers are not impacted. Linksys routers do use OpenSSL, however our product line uses another version that is not impacted by this vulnerability.
Link to comment
Share on other sites

Guest LilBambi

Engadget confirms Heartbleed bug affects routers too:

 

http://www.engadget.com/2014/04/10/the-heartbleed-bug-is-affecting-routers-too/

 

And that ones like Linksys are not affected since they "don't use the affected versions of OpenSSL".

 

Also confirms that Cisco and Juniper Networks is working on patches. Obviously not out there yet though.

Link to comment
Share on other sites

Guest LilBambi

Belkin routers also safe:

 

https://getsatisfaction.com/belkinrouters/topics/update_heartbleed_openssl_vulnerability-1aevo1

 

Some other Cisco products were also affected; Cisco IP phones, some versions of WebEX, some versions of Juniper Networks VPN, Cisco's AnyConnect Secure Mobility Client app for iOS, one type of Cisco software that runs Internet switches also affected according to this article at CNN Money:

 

http://money.cnn.com/2014/04/11/technology/security/heartbleed-gear/

 

That means for two years now, someone could have been able to tap your phone calls and voicemails at work, all your emails and entire sessions at your computer or iPhone. You also could have been compromised if you logged into work from home remotely. And you'll probably never know if you were hacked.

 

From the same article, they indicate that Netgear has not made any comment about their routers as yet.

 

Next time you need a new router, which one would you choose? I would choose the ones not affected first of course, but I would not trust the ones that are not speaking up to make people aware of the problems they have been dealing with for two years now.

 

DD-WRT router software is also vulnerable apparently and it has to be rebult, not just restarted:

 

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=890437&sid=91f2733c19ba7a64809a7e5b791fbfca

Link to comment
Share on other sites

Guest LilBambi

Posted a blog posting about this here:

 

Heartbleed, OpenSSL and Perfect Forward Secrecy - FransComputerServices Blog

 

According to an article at Mashable where there is a Hit List posted in a table:

 

Some big names that you might be happy to hear were not affected according to the Mashable article, the following were NOT hit:

 

Apple, Microsoft, Amazon, eBay, PayPal, Target, Walmart, LinkedIn, Hulu, AOL email, Hotmail/MSN/Outlook.com emails and more.

 

Like earlier, the NOT hit ones are likely easier to name...

Link to comment
Share on other sites

An if you thought all the above was pretty shocking then read on,

 

http://www.theregister.co.uk/2014/04/11/heartbleed_health_checking_services_may_be_illegal/

 

 

Websites and tools that have sprung up to check whether servers are vulnerable to OpenSSL's mega-vulnerability Heartbleed have thrown up anomalies in computer crime law on both sides of the Atlantic.

 

Both the US Computer Fraud and Abuse Act and its UK equivalent the Computer Misuse Act make it an offence to test the security of third-party websites without permission.

 

 

 

 

Testing to see what version of OpenSSL a site is running, and whether it is also supports the vulnerable Heartbeat protocol, would be legal. But doing anything more active – without permission from website owners – would take security researchers onto the wrong side of the law.

 

You got to laugh :devil:

Link to comment
Share on other sites

securitybreach

DD-WRT router software is also vulnerable apparently and it has to be rebult, not just restarted:

 

http://www.dd-wrt.co...09a7e5b791fbfca

 

Well I just checked my ddwrt router and I have version 0.9.7m-6 installed. Since heartbleed affected version 1.0.1 through 1.01.f, ddwrt (mine) is not vulnerable.

root@Baphomet:~# ipkg-opt install openssl
Package openssl (0.9.7m-6) installed in root is up to date.

Link to comment
Share on other sites

Guest LilBambi

Yes, and it also says,

 

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately

upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

 

1.0.2 will be fixed in 1.0.2-beta2.

 

So you are saying that even though your version is OLDER than 1.0.1 that yours is OK, even though it says should upgrade to 1.0.1g and that 1.0.2 will be fixed in 1.0.2-beta2?

Link to comment
Share on other sites

V.T. Eric Layton

Hmm... makes me wonder about all the ISP provided routers out there, like my Verizon Westell, for instance.

 

Let's face it. The Internet is broken. We'll have to tear it all down and start again. This time it will only work with Linux operating systems, though. ;)

  • Like 1
Link to comment
Share on other sites

Let's face it. The Internet is broken. We'll have to tear it all down and start again. This time it will only work with Linux operating systems, though. ;)

I've about given up. I no longer have the time, energy or patience to deal with most of this. My dLink router appears to be unaffected, probably because it's really old. If I can't get enough time to attempt a network install of openSUSE 13.1 soon on this XP machine, I'll have to shut it down and start sharing the win 7 laptop I just got for my mother.
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...