Heartbleed – OpenSSL Bug

hearbleedThis has been an extremely crazy week for the security community!

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users”

OpenSSL published an advisory name Heartbleed classified as CVE-2014-0160 which was discovered by Neel Mehta and Codenomicon. An estimate of 500k widely trusted websites were (some still are) impacted. Bruce Scheneier expressed his opinion as being a catastrophic  bug. SANS has raised its INFOCON threat level to yellow and made 2 great webcasts briefings here and here. Plus it maintains a list of vendors and its respective patches. If you want to know how to find if your  website or appliance is vulnerable Jared Stafford created a PoC named ssltest.py. Several sites are providing a way to test it including Qualys and a site created by Filippo Valsorda here. Brian Krebs and Ed Felten provide great overview on what to do to mitigate it.  Sean Cassidy  wrote great technical details here. Bitcoin core software was updated. Tomas Rzepka (@1njected) accomplished to retrieve the private keys from a FreeBSD 10 system. Mark Loman showed how Yahoo was affected. Matthew Sullivan showed how the leak data could be used to hijack web session and more examples here and here. A scanner was quickly incorporated into Metasploit. Many other resources here. Cloudfare made a challenge in case you want to try it out and get their private keys.  Finally, you might want to consider changing your passwords in case you have an account in the following sites.

“OpenSSL’s security advisory states that only versions 1.0.1 and 1.0.2-beta are affected, including 1.0.1f and 1.0.2-beta1. The vulnerability has been fixed in OpenSSL 1.0.1g, and users who are unable to upgrade immediately can disable heartbeat support by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.
Certificates and keys at risk of compromise should be revoked and replaced, particularly if they are used to protect sensitive data”

Tagged , , , , , ,

2 thoughts on “Heartbleed – OpenSSL Bug

  1. drd0spt says:

    Hmm well that is not that hard, did you check real attacks to real vulnerable servers?
    you don’t need to look for IDS request if there was a compromise you need to watch for responses i know a guide here :

    http://techtalkspt.blogspot.pt – Heartbleed Complete Guide to discover the exploited servers.

    Like

  2. drd0spt says:

    Hmm did you check this ?

    http://techtalkspt.blogspot.pt

    Heartbleed Complete Guide to discover the exploited servers.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: