Heartbleed – OpenSSL Bug

hearbleedThis has been an extremely crazy week for the security community!

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users”

OpenSSL published an advisory name Heartbleed classified as CVE-2014-0160 which was discovered by Neel Mehta and Codenomicon. An estimate of 500k widely trusted websites were (some still are) impacted. Bruce Scheneier expressed his opinion as being a catastrophic  bug. SANS has raised its INFOCON threat level to yellow and made 2 great webcasts briefings here and here. Plus it maintains a list of vendors and its respective patches. If you want to know how to find if your  website or appliance is vulnerable Jared Stafford created a PoC named ssltest.py. Several sites are providing a way to test it including Qualys and a site created by Filippo Valsorda here. Brian Krebs and Ed Felten provide great overview on what to do to mitigate it.  Sean Cassidy  wrote great technical details here. Bitcoin core software was updated. Tomas Rzepka (@1njected) accomplished to retrieve the private keys from a FreeBSD 10 system. Mark Loman showed how Yahoo was affected. Matthew Sullivan showed how the leak data could be used to hijack web session and more examples here and here. A scanner was quickly incorporated into Metasploit. Many other resources here. Cloudfare made a challenge in case you want to try it out and get their private keys.  Finally, you might want to consider changing your passwords in case you have an account in the following sites.

“OpenSSL’s security advisory states that only versions 1.0.1 and 1.0.2-beta are affected, including 1.0.1f and 1.0.2-beta1. The vulnerability has been fixed in OpenSSL 1.0.1g, and users who are unable to upgrade immediately can disable heartbeat support by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.
Certificates and keys at risk of compromise should be revoked and replaced, particularly if they are used to protect sensitive data”

Advertisements
Tagged , , , , , ,

2 thoughts on “Heartbleed – OpenSSL Bug

  1. drd0spt says:

    Hmm well that is not that hard, did you check real attacks to real vulnerable servers?
    you don’t need to look for IDS request if there was a compromise you need to watch for responses i know a guide here :

    http://techtalkspt.blogspot.pt – Heartbleed Complete Guide to discover the exploited servers.

    Like

  2. drd0spt says:

    Hmm did you check this ?

    http://techtalkspt.blogspot.pt

    Heartbleed Complete Guide to discover the exploited servers.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

gb_master's /dev/null

... and I said, "Hello, Satan. I believe it's time to go."

Source Code Auditing, Reversing, Web Security

Finding Hidden codes in the software

BruteForce Lab

security, programming, devops, visualization, the cloud

Count Upon Security

Increase security awareness. Promote, reinforce and learn security skills.

Naked Security

Computer Security News, Advice and Research

Didier Stevens

(blog \'DidierStevens)

malwology

Adventures in double-clicking malware / by Anuj Soni

Rational Survivability

Hoff's Ramblings about Information Survivability, Information Centricity, Risk Management and Disruptive Innovation.

SANS Internet Storm Center, InfoCON: green

Increase security awareness. Promote, reinforce and learn security skills.

TaoSecurity

Increase security awareness. Promote, reinforce and learn security skills.

Schneier on Security

Increase security awareness. Promote, reinforce and learn security skills.

Technicalinfo.net Blog

Increase security awareness. Promote, reinforce and learn security skills.

Lenny Zeltser

Increase security awareness. Promote, reinforce and learn security skills.

Krebs on Security

In-depth security news and investigation

%d bloggers like this: