Major OpenSSL Vulnerability

From: David White 
------------------------------------------------------
I got a security advisory from the CentOS maintainers last night about it,
and I just read this CNET article:
http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/

Here's the security advisory from CentOS:

Earlier in the day today, we were made aware of a serious
issue in openssl as shipped in CentOS-6.5 ( including updates issued
since CentOS-6.5 was released ); This issue is addressed in detail
athttp://heartbleed.com/

Upstream have not released a patched version of openssl, although we
are reliably informed that there is quite a bit of effort ongoing
to release a patched package soon.

As an interim workaround, we are releasing packages that disable the
exploitable code  using the published workaround( tls heartbeat );
Note that these packages do not resolve the issue, they merely
disable the feature that is being exploited.

Notes:
1) All versions of CentOS prior to 6.5 are unaffected.
2) the release tag in these packages is marked in a manner that the next
upstream version will override and replace these packages.

-- 
David White
Founder & CEO

*Develop CENTS *
Computing, Equipping, Networking, Training & Supporting
Nonprofit Organizations Worldwide
http://developcents.com
423-693-4234

=============================================================== From: David White ------------------------------------------------------ Here's some interesting analysis of the code behind the bug: http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html Also, this post on security.stackexchange.com has some good resources: http://security.stackexchange.com/questions/55076/what-should-one-do-about-the-heartbleed-openssl-exploit/ -- David White Founder & CEO *Develop CENTS * Computing, Equipping, Networking, Training & Supporting Nonprofit Organizations Worldwide http://developcents.com 423-693-4234

=============================================================== From: Rod ------------------------------------------------------ Slashdot had this yesterday. "The attack may be repeated and it appears trivial to acquire the host's private key. If you were running a vulnerable release, it is even suggested that you go as far as revoking all of your keys. Distributions using OpenSSL 0.9.8 are not vulnerable (Debian Squeeze vintage). Debian Wheezy, Ubuntu 12.04.4, Centos 6.5, Fedora 18, SuSE 12.2, OpenBSD 5.4, FreeBSD 8.4, and NetBSD 5.0.2 and all following releases are vulnerable. OpenSSL released 1.0.1g today addressing the vulnerability. Debian's fix is in incoming and should hit mirrors soon, Fedora ishaving some trouble applying their patches, but a workaround patch to the package .spec (disabling heartbeats) is available for immediate application." http://it.slashdot.org/story/14/04/07/2354258/openssl-bug-allows-attackers-to-read-memory-in-64k-chunks -- The unregulated free market is like Yog-Sothoth, a mythical being whose followers make bloody sacrifice to hasten its arrival to this world. Using Opera's mail client: http://www.opera.com/mail/

=============================================================== From: Ryan Bales ------------------------------------------------------ POC [1] of JIRA session sidejacking through heartbleed, complete with script to test your own servers [2]. [1] https://www.mattslifebytes.com/?p=533 [2] https://gist.github.com/takeshixx/10107280 Ryan Bales http://twitter.com/#!/thinkt4nk https://github.com/thinkt4nk

=============================================================== From: Rod ------------------------------------------------------ Crunchbang has an update. Just added it. It may have been from debian.

=============================================================== From: Chad Smith ------------------------------------------------------ Mashable is calling this the worst case scenario for the Internet. And basically every major website was affected by the bug, but there's no evidence it was exploited (but - then there really wouldn't be would there?). They are also saying you should eventually change *all* of your passwords - but you have to wait until the website plugs the hole or it is a waste of time. Are they overreacting? Or is this Webageddon? *- Chad W. Smith*

=============================================================== From: Lynn Dixon ------------------------------------------------------ Red Hat released their patch earlier this week. https://rhn.redhat.com/errata/RHSA-2014-0376.html We have already tested, and applied the patch. Don't forget to remove any certs or keys that were generated under an exploited version of OpenSSL and recreate them. This also affects client machines as well :)

=============================================================== From: James Nylen ------------------------------------------------------ Here is the most informative writeup I've seen on the bug and its implications: https://superuser.com/a/739462/9599

=============================================================== From: Rod ------------------------------------------------------ here is Theo De Raadt's comment on it. http://article.gmane.org/gmane.os.openbsd.misc/211963 Thu, 10 Apr 2014 16:57:24 -0400, James Nylen wrote:

=============================================================== From: Dan Lyke ------------------------------------------------------ For years I have held the belief that SSL essentially protects you from snoopers in coffee shops. The whole CA architecture makes SSL essentially vulnerable, as we saw with the Iranian MitM attack against Google using that compromised Netherlands CA. Did this attack expose private keys? Yep. Where could it have been exploited from? Any place someone could sniff the traffic. Does that include your local coffee shop? Well... consider how widely spread the exploit would have to be for that to be a reasonable path. Your local 5cr1pt k1dd13 would have to know about it, but it'd still be lurking. That seems unlikely, given how fast credit card exploits get over-used and exposed. Thus any exploit is likely limited to people who weren't greedy for easily exploitable financial information. Probably entities like GHCQ and the NSA who are already sniffing substantial portions of the net. Is there anything you've put on Facebook that you don't want those entities to know about? Is there anything you sent via unencrypted email that you didn't want those entities to know about? If so, you're a damned fool. Did this attack hit banking and credit cards? Maybe, but so can a whole lot of other attack vectors. No, it's not webageddon. It's a fairly major security vulnerability, but if it was exploited then your main concern is being the subject of extraordinary rendition, not banking fraud. And even then, probably only if you were already concerned about extraordinary rendition. Dan

=============================================================== From: David White ------------------------------------------------------ pfSense came out with a new update to their software, as 2.1 (just released a week or so ago) was vulnerable. 2.1.2 was released today.

=============================================================== From: Dan Lyke ------------------------------------------------------ On Thu, 10 Apr 2014 18:04:53 -0400 Rod wrote: If you read nothing else on this situation, read this. Awesome find, Rod. Dan

=============================================================== From: Wil Wade ------------------------------------------------------ I suggest just reading XKCD: http://xkcd.com/1354/ :)

=============================================================== From: "Robert A. Kelly III" ------------------------------------------------------ Wow, that was rather disturbing to read...

=============================================================== From: Ben Romines ------------------------------------------------------ I love how they dumbed that down. Great none the less though.