OpenSSL HeartBleed

david_orton_2000

david_orton_2000

Green Mario
vacBacker
Feedback
8 (100%)
Credits
341CR
[font="Arial, Helvetica, sans-serif"]Hey all,

Well, I am sure some of you IT guys have heard of this by now, however just seems this has been over-hyped by the media, etc.
This is of course caused a lot of panic out there.
We are getting a number of clients worrying about it.

In reality, this only affects very specific versions of OpenSSL, i.e. :-
ver 1.0.1 and 1.0.2 only

Many servers (with a lot of the internet ones being Linux/Unix based) are already patched or have different versions.

Anyway, hey ho...usual IT sh*t...

Cheers,
DaveO.

[/font]
 
Nes4life

Nes4life

Active member
vacBacker
Feedback
11 (100%)
Credits
1,117CR
Yeah the problem is that you could go ahead and change all your passwords but how do you know if the service you are changing your password for has updated to the latest OpenSSL? If it hasn't then you're changing your password in vein.

Ironically, the fact that this flaw is now known publicly, and that not every service will quickly update to patch it, is what makes it a problem. The average pi / arduino-savy hobbyist could probably perform a request to take advantage of the flaw and that's where the danger lies.
 
M

markjw

Newbie
Credits
23CR
been updating all the servers at client sites to fix this - got a couple left to do (these ones are not currently using SSL so not affected, but will patch them anyway).
 
guddler

guddler

Busting vectors like it's 1982!
vacBacker
Feedback
10 (100%)
Credits
4,054CR
My problem is that I need to work out which of my cloud servers are using Open SSL and which are not, and that's before I even get to the version!

I know I have an Apache based proxy server. I'm guessing that IS. But I have a reasonably large number of other servers using SSL that are commercial products so it's all going to take time to investigate whether those products are using OpenSSL or some other implementation. Who knows!

And then of course there's the fact that no matter how severe this may be, this IS still hyped out of all proportion. It still needs someone to have the knowledge and ability to perform a man in the middle attack to take advantage of the flaw, AND want to target your particular server for those things. Unless you're a high profile organisation, those two things are relatively unlikely.
 
guddler

guddler

Busting vectors like it's 1982!
vacBacker
Feedback
10 (100%)
Credits
4,054CR
I got all excited there for a moment. Then I read their privacy policy governing the use of the tool and you have to agree to them harvesting all the information you supply and using it to offer marketing on their products and services! And they very openly and explicitly say that in just one paragraph, they're not hiding it at all. Given that, can they be trusted with the information regarding the fact your site is vulnerable (if indeed it is)!

Don't suppose you have a copy of the tool you could mail me do you?
 
guddler

guddler

Busting vectors like it's 1982!
vacBacker
Feedback
10 (100%)
Credits
4,054CR
Never mind. Found another. And it just says what I already know. "Likely"
smiley36.gif
 
M

markjw

Newbie
Credits
23CR
david_orton_2000 said:
yup, we only had a few servers to do, with 95% not affected.
Versions affected=
Affected 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1
ref=
http://www.openssl.org/news/vulnerabilities.html
Click to expand...

be aware if anyone using RedHat Enterprise Linux 6 (or CentOS etc that are built from it) that the fixed version is not 1.0.1g as specified but version 1.0.1e-16.el6_5.7 - RedHat have backported the fixes into their 1.0.1e code train.

'openssl version -a' should respond with (the build date being the important one!):

OpenSSL 1.0.1e-fips 11 Feb 2013

built on: Tue Apr 8 02:39:29 UTC 2014
 
guddler

guddler

Busting vectors like it's 1982!
vacBacker
Feedback
10 (100%)
Credits
4,054CR
And I've been made aware over the last two hours that if your servers are on AWS then they are checking for you and notifying you. But be aware that the emails (at least in my case) are going to the person the account is in the name of and for me that was not the person in charge (me)!
smiley29.gif
 
You must log in or register to reply here.
Top