heartbleed nothing like a major exploit to spoil your week.

Started by Lazybones, April 09, 2014, 02:34:54 PM

Previous topic - Next topic

Lazybones

http://heartbleed.com/

Has everyone checked their systems, patched OpenSSL and revoked and re-issued their certificates?

Fun times, unless you lucked out with load balancers and SSL systems using different libraries..

Mr. Analog

By Grabthar's Hammer

Darren Dirt

_____________________

Strive for progress. Not perfection.
_____________________

Lazybones

Quote from: Darren Dirt on April 09, 2014, 03:21:14 PM
Quote from: Lazybones on April 09, 2014, 02:34:54 PM
OpenSSL

meh. At least 10% of server's aren't even using that!

OpenSSL is a library used by both Apache and NGINX
http://news.netcraft.com/archives/2014/01/03/january-2014-web-server-survey.html

Developer December 2013 Percent January 2014 Percent Change
Apache 355,244,900 41.26% 358,669,012 41.64% 0.38
Microsoft 241,777,723 28.08% 253,438,493 29.42% 1.34
nginx 126,485,204 14.69% 124,052,996 14.40% -0.29
Google 38,263,525 4.44% 21,280,639 2.47% -1.97


That would be close to 55% of all webservers netcraft monitors.

Lazybones

Quote from: Lazybones on April 09, 2014, 04:34:06 PM
Quote from: Darren Dirt on April 09, 2014, 03:21:14 PM
Quote from: Lazybones on April 09, 2014, 02:34:54 PM
OpenSSL

meh. At least 10% of server's aren't even using that!

OpenSSL is a library used by both Apache and NGINX
http://news.netcraft.com/archives/2014/01/03/january-2014-web-server-survey.html

Developer December 2013 Percent January 2014 Percent Change
Apache 355,244,900 41.26% 358,669,012 41.64% 0.38
Microsoft 241,777,723 28.08% 253,438,493 29.42% 1.34
nginx 126,485,204 14.69% 124,052,996 14.40% -0.29
Google 38,263,525 4.44% 21,280,639 2.47% -1.97


That would be close to 55% of all webservers netcraft monitors.

Also a lot of systems with embedded webservers also use OpenSSL directly.

Melbosa

And here I thought the big news this week was going to be the ultimate XP exploit.  This OpenSSL is all I've been seeing at NAIT and in the industry!
Sometimes I Think Before I Type... Sometimes!

Tom

Yeah, I updated openssh and apache where needed... but I haven't felt like revoking and reinstalling my certs. especially if they make me pay for it again.
<Zapata Prime> I smell Stanley... And he smells good!!!

Lazybones

There is some debate as to if the keys even could be released. The leak is for released memory not active memory so in theory only after a powered on reboot or restart of services would a copy of the key be in the vulnerable memory space.


But for those of use doing business we can't take chances.

Tom

Indeed, those that actually care a ton about their job and business, you have to be proactive about this.

Sadly too many buisnesses won't bother. Its like with the XP update.
<Zapata Prime> I smell Stanley... And he smells good!!!

Lazybones

LastPass has released a completely inaccurate assessment tool to their users. I already avoided them, now I will be sure to boycott them..

http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html#comment-form

Darren Dirt

Quote from: Lazybones on April 10, 2014, 02:35:27 PM
LastPass has released a completely inaccurate assessment tool to their users.

Please explain... #curious
_____________________

Strive for progress. Not perfection.
_____________________

Lazybones

#11
Quote from: Darren Dirt on April 10, 2014, 02:38:26 PM
Quote from: Lazybones on April 10, 2014, 02:35:27 PM
LastPass has released a completely inaccurate assessment tool to their users.

Please explain... #curious
This is what it returns to a user for my site (we fully patched and re-keyed yesterday.

Site:"yes, umm that is accurate"
Server software:Apache "yes"
Vulnerable:Likely (known use OpenSSL) "Um no, we patched before this tool went live, but other admins have reported back it doesn't check for vulerability or version, no indication when if they checked"
SSL Certificate:Unsafe (created 2 months ago) "No we re-keyed and reissued all certs.. However this does not change the issued date, the cert, signature and version number do change when re-keyed/reissued"
Assessment:Wait for the site to update before changing your password "Very safe, all done yesterday and verified"

Several mad admins in the comments also have pointed out the re-keying issue, one even said they don't even use OpenSSL, which is true for IIS and many web-servers and load balancers.

Darren Dirt

False positives ftw?

Don't need a web-based tool to say "just to be safe, we should presume we are probably vulnerable" you can just agree to presume the worst without needing a tool to do it for you ;)
_____________________

Strive for progress. Not perfection.
_____________________

Lazybones

Quote from: Darren Dirt on April 10, 2014, 02:56:36 PM
False positives ftw?

Don't need a web-based tool to say "just to be safe, we should presume we are probably vulnerable" you can just agree to presume the worst without needing a tool to do it for you ;)

LastPass users are also reporting that it is NOT flagging some sites that DID report being vulnerable. Thus it is both a false sense of security and a cause for unnecessary panic... So it generates a lot of smug user support tickets that is for sure.

Melbosa

Love that I just finished upgrading our VMware environment to 5.5, 70 systems, with our own CA, and its vulnerable... doh!  Once VMware releases a patch I'llh ave to revoke all those CA Certs and reissue new ones after the patch.  Too bad it requires a reboot for the chain to be fully utilized on the systems.  Oh well maintenance mode for the win!
Sometimes I Think Before I Type... Sometimes!