heartbleed nothing like a major exploit to spoil your week.

Lazybones · April 09, 2014, 02:34:54 PM

http://heartbleed.com/

Has everyone checked their systems, patched OpenSSL and revoked and re-issued their certificates?

Fun times, unless you lucked out with load balancers and SSL systems using different libraries..

Mr. Analog · April 09, 2014, 02:36:56 PM

It's an F'ing nightmare right now, all around

Darren Dirt · April 09, 2014, 03:21:14 PM

Quote from: Lazybones on April 09, 2014, 02:34:54 PM
OpenSSL

meh. At least 10% of server's aren't even using that!

Lazybones · April 09, 2014, 04:34:06 PM

Quote from: Darren Dirt on April 09, 2014, 03:21:14 PM
Quote from: Lazybones on April 09, 2014, 02:34:54 PM
OpenSSL

meh. At least 10% of server's aren't even using that!

OpenSSL is a library used by both Apache and NGINX
http://news.netcraft.com/archives/2014/01/03/january-2014-web-server-survey.html

Code Select


Developer	December 2013	Percent	January 2014	Percent	Change
Apache	355,244,900	41.26%	358,669,012	41.64%	0.38
Microsoft	241,777,723	28.08%	253,438,493	29.42%	1.34
nginx	126,485,204	14.69%	124,052,996	14.40%	-0.29
Google	38,263,525	4.44%	21,280,639	2.47%	-1.97

That would be close to 55% of all webservers netcraft monitors.

Lazybones · April 09, 2014, 04:59:33 PM

Quote from: Lazybones on April 09, 2014, 04:34:06 PM
Quote from: Darren Dirt on April 09, 2014, 03:21:14 PM
Quote from: Lazybones on April 09, 2014, 02:34:54 PM
OpenSSL

meh. At least 10% of server's aren't even using that!

OpenSSL is a library used by both Apache and NGINX
http://news.netcraft.com/archives/2014/01/03/january-2014-web-server-survey.html
Code Select Expand
Developer December 2013 Percent January 2014 Percent Change Apache 355,244,900 41.26% 358,669,012 41.64% 0.38 Microsoft 241,777,723 28.08% 253,438,493 29.42% 1.34 nginx 126,485,204 14.69% 124,052,996 14.40% -0.29 Google 38,263,525 4.44% 21,280,639 2.47% -1.97

That would be close to 55% of all webservers netcraft monitors.

Also a lot of systems with embedded webservers also use OpenSSL directly.

Melbosa · April 09, 2014, 05:54:48 PM

And here I thought the big news this week was going to be the ultimate XP exploit. This OpenSSL is all I've been seeing at NAIT and in the industry!

Tom · April 09, 2014, 10:40:33 PM

Yeah, I updated openssh and apache where needed... but I haven't felt like revoking and reinstalling my certs. especially if they make me pay for it again.

Lazybones · April 09, 2014, 10:47:50 PM

There is some debate as to if the keys even could be released. The leak is for released memory not active memory so in theory only after a powered on reboot or restart of services would a copy of the key be in the vulnerable memory space.

But for those of use doing business we can't take chances.

Tom · April 09, 2014, 10:50:20 PM

Indeed, those that actually care a ton about their job and business, you have to be proactive about this.

Sadly too many buisnesses won't bother. Its like with the XP update.

Lazybones · April 10, 2014, 02:35:27 PM

LastPass has released a completely inaccurate assessment tool to their users. I already avoided them, now I will be sure to boycott them..

http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html#comment-form

Darren Dirt · April 10, 2014, 02:38:26 PM

Quote from: Lazybones on April 10, 2014, 02:35:27 PM
LastPass has released a completely inaccurate assessment tool to their users.

Please explain... #curious

Lazybones · April 10, 2014, 02:44:38 PM

Quote from: Darren Dirt on April 10, 2014, 02:38:26 PM
Quote from: Lazybones on April 10, 2014, 02:35:27 PM
LastPass has released a completely inaccurate assessment tool to their users.

Please explain... #curious

This is what it returns to a user for my site (we fully patched and re-keyed yesterday.

Site:"yes, umm that is accurate"
Server software:Apache "yes"
Vulnerable:Likely (known use OpenSSL) "Um no, we patched before this tool went live, but other admins have reported back it doesn't check for vulerability or version, no indication when if they checked"
SSL Certificate:Unsafe (created 2 months ago) "No we re-keyed and reissued all certs.. However this does not change the issued date, the cert, signature and version number do change when re-keyed/reissued"
Assessment:Wait for the site to update before changing your password "Very safe, all done yesterday and verified"

Several mad admins in the comments also have pointed out the re-keying issue, one even said they don't even use OpenSSL, which is true for IIS and many web-servers and load balancers.

Darren Dirt · April 10, 2014, 02:56:36 PM

False positives ftw?

Don't need a web-based tool to say "just to be safe, we should presume we are probably vulnerable" you can just agree to presume the worst without needing a tool to do it for you

Lazybones · April 10, 2014, 03:32:03 PM

Quote from: Darren Dirt on April 10, 2014, 02:56:36 PM
False positives ftw?

Don't need a web-based tool to say "just to be safe, we should presume we are probably vulnerable" you can just agree to presume the worst without needing a tool to do it for you

LastPass users are also reporting that it is NOT flagging some sites that DID report being vulnerable. Thus it is both a false sense of security and a cause for unnecessary panic... So it generates a lot of smug user support tickets that is for sure.

Melbosa · April 10, 2014, 04:20:03 PM

Love that I just finished upgrading our VMware environment to 5.5, 70 systems, with our own CA, and its vulnerable... doh! Once VMware releases a patch I'llh ave to revoke all those CA Certs and reissue new ones after the patch. Too bad it requires a reboot for the chain to be fully utilized on the systems. Oh well maintenance mode for the win!