heartbleed nothing like a major exploit to spoil your week.

Started by Lazybones, April 09, 2014, 02:34:54 PM

Previous topic - Next topic

Lazybones

Quote from: Melbosa on April 10, 2014, 04:20:03 PM
Love that I just finished upgrading our VMware environment to 5.5, 70 systems, with our own CA, and its vulnerable... doh!  Once VMware releases a patch I'llh ave to revoke all those CA Certs and reissue new ones after the patch.  Too bad it requires a reboot for the chain to be fully utilized on the systems.  Oh well maintenance mode for the win!

Oddly enough my upgrade to 5.5 delayed while validating backup software issues... Now I hope they release a patch soon so I can finished things without rolling out a vulnerable system

Lazybones


Thorin

Quote from: Lazybones on April 11, 2014, 08:01:26 AM
Heardbleed explained http://xkcd.com/1354/

That's an excellent explanation.  Much better than what I heard them try to explain on 630 CHED yesterday.
Prayin' for a 20!

gcc thorin.c -pedantic -o Thorin
compile successful

Darren Dirt

Excellent, and TERRIFYING.


Also thanks for the timesink reminder; it's been a few months for me.
Now I have lunch time plans: try all paths of http://xkcd.com/1350/
_____________________

Strive for progress. Not perfection.
_____________________


Thorin

Such a simple oversight.

A reporter has found the person who created the bug and talked to them - apparently he wasn't an inner-circle developer so his code had to go through review before being submitted.  Neither he nor the reviewer caught it.

Or were both paid off by the NSA.
Prayin' for a 20!

gcc thorin.c -pedantic -o Thorin
compile successful

Darren Dirt

Quote from: Thorin on April 11, 2014, 01:28:45 PM
A reporter has found the person who created the bug and talked to them - apparently he wasn't an inner-circle developer so his code had to go through review before being submitted.  Neither he nor the reviewer caught it.

Quote from: http://en.wikipedia.org/wiki/Heartbleed#Reaction
Theo de Raadt, founder and leader of the OpenBSD and OpenSSH projects, has criticized the OpenSSL developers for explicitly circumventing OpenBSD C standard library exploit countermeasures, saying "OpenSSL is not developed by a responsible team."

The author of the bug, Robin Seggelmann,[32] stated that he "missed validating a variable containing a length" and denied any intention to submit a flawed implementation.[33]

[32] http://www.smh.com.au/it-pro/security-it/who-is-robin-seggelmann-and-did-his-heartbleed-break-the-internet-20140411-zqtjj.html

[33] http://www.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html
_____________________

Strive for progress. Not perfection.
_____________________

Tom

Quote from: Lazybones on April 09, 2014, 10:47:50 PM
There is some debate as to if the keys even could be released. The leak is for released memory not active memory so in theory only after a powered on reboot or restart of services would a copy of the key be in the vulnerable memory space.
Quote from: Tom on April 09, 2014, 10:40:33 PM
Yeah, I updated openssh and apache where needed... but I haven't felt like revoking and reinstalling my certs. especially if they make me pay for it again.
Turns out it is fully possible to get at the private key with enough requests. So yeah, it'd be a good idea to patch and reissue+revoke asap.

I just reissued+revoked the ssl cert on my mail server. Thankfully it was pretty easy. whether or not it matters that I'm using the same cert for postfix, dovecot, and apache (for roundcube) is another story.
<Zapata Prime> I smell Stanley... And he smells good!!!

Lazybones

All of our production stuff was patched , rekeyed and revoked right away.

Interestingly the revoke is not automatic for some CAs.

Darren Dirt

_____________________

Strive for progress. Not perfection.
_____________________

Lazybones

Quote from: Darren Dirt on April 16, 2014, 09:40:47 AM
A few days have passed, but supposedly "about to get worse" -- truth? or fear-mongering?
http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/14/heartbleed-is-about-to-get-worse-and-it-will-slow-the-internet-to-a-crawl/

http://news.netcraft.com/archives/2014/04/15/revoke-the-time-is-nigh.html

It seems that the majority of major sites have been doing the full process of patching, revoking and re-key/re-issue... For the internet as a whole it might not be too bad but there are some issues.

Some mobile browsers do not check revoke lists.
https://www.grc.com/revocation.htm

There are many mobile device  / Android devices vulnerable and likely never to be patched
http://www.pcmag.com/article2/0,2817,2456507,00.asp


There are A LOT of internal systems that use SSL these days. I know of Phone systems.,SAN systems and Virtual Systems that are not yet patched. They are not directly internet accessible but present a risk.

Thorin

You know, I hadn't realized, but the bug was introduced at 11:50pm on Dec 31, 2011.  Seriously?  Someone thought they should push through a code change ten minutes before New Year's??
Prayin' for a 20!

gcc thorin.c -pedantic -o Thorin
compile successful

Darren Dirt

#27
Quote from: Thorin on April 16, 2014, 10:35:16 AM
You know, I hadn't realized, but the bug was introduced at 11:50pm on Dec 31, 2011.  Seriously?  Someone thought they should push through a code change ten minutes before New Year's??

Coders don't go to social parties. It was a low-impact risk ;)

[ insert HHGG scene* about intelligent geeks "they don't get invited to those kind of parties..." ]
* http://www.youtube.com/watch?v=nCf53ses22w



_____________________

Strive for progress. Not perfection.
_____________________

Tom

A lot of open source work happens during christmas/newyears holidays.
<Zapata Prime> I smell Stanley... And he smells good!!!

Darren Dirt

Apparently a prodigiously smart 19-year-old comp-sci "loner" was behind the CRA Heartbleed hacks?
http://www.torontosun.com/2014/04/16/charges-laid-in-heartbleed-hack-of-cra-site

Yeah sure. A lone gunman. whatevs.
_____________________

Strive for progress. Not perfection.
_____________________