Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Serious OpenSSL bug renders websites wide open
itnews au ^ | on Apr 8, 2014 8:07 AM | Juha Saarinen

Posted on 04/08/2014 11:13:55 AM PDT by Utilizer

A serious vulnerability in the popular OpenSSL cryptographic library has been discovered that allows attackers to steal information unnoticed.

Known as the Heartbleed bug, the vulnerability allows anyone on the Internet to read the memory of systems that run vulnerable versions of OpenSSL, revealing the secret authentication and encryption keys to protect the traffic. User names, passwords and the actual content of the communications can also be read.

...

OpenSSL recommends that uses immediately upgrade to version 1.0.1g. If that's not possible, users should recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag to remove the the heartbeat handshake. The 1.0.2 version of OpenSSL will be fixed with beta 2.

Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2 are all listed as vulnerable...

(Excerpt) Read more at itnews.com.au ...


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: bug; centos; debian; fedora; freebsd; heartbleedbug; linux; netbsdopensuse; openbsd; openssl; security; ssl; ubuntu
A bit more info at the site (and lots more ads) (use Ghostery), but the relevant info is posted here.
1 posted on 04/08/2014 11:13:55 AM PDT by Utilizer
[ Post Reply | Private Reply | View Replies]

To: ShadowAce

You might be interested in this, mate.


2 posted on 04/08/2014 11:15:13 AM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the mooslimbs trying to kill them-)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce; Ernest_at_the_Beach; martin_fierro

Whoopsie. Thanks Utilizer.


3 posted on 04/08/2014 11:28:31 AM PDT by SunkenCiv (https://secure.freerepublic.com/donate/)
[ Post Reply | Private Reply | View Replies]

To: Utilizer

Very interesting!!
Thanks for posting this.


4 posted on 04/08/2014 11:29:08 AM PDT by Zathras
[ Post Reply | Private Reply | To 1 | View Replies]

To: Utilizer

I wondered when this would hit FR ?


5 posted on 04/08/2014 11:39:28 AM PDT by George from New England (escaped CT in 2006, now living north of Tampa)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Utilizer

“Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2 are all listed as vulnerable...”

It’s those pesky windows machines again....

Wait! What?


6 posted on 04/08/2014 11:41:07 AM PDT by ImaGraftedBranch (...By reading this, you've collapsed my wave function. Thanks.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Utilizer; rdb3; Calvinist_Dark_Lord; JosephW; Only1choice____Freedom; amigatec; Still Thinking; ...

7 posted on 04/08/2014 11:43:04 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Utilizer

UGH! This SUCKS! I’ve got to recompile my SSL CAs due to this. I doubt it’s a big problem, but it’s a PITA.

FWIW, many large businesses use OpenSSL for certificate services. It’s inherently more secure than Windows ADCS, but it’s a bear to manage. You’d be surprised how ubiquitous this software truly is.


8 posted on 04/08/2014 11:44:35 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Utilizer
For any Ubuntu 12.04 users:

How to patch CVE

9 posted on 04/08/2014 11:51:29 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: SunkenCiv

Welcome, mate. We need to look out for one another after all.


10 posted on 04/08/2014 11:55:19 AM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the mooslimbs trying to kill them-)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Zathras

No worries. Hope it helps many.


11 posted on 04/08/2014 11:56:27 AM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the mooslimbs trying to kill them-)
[ Post Reply | Private Reply | To 4 | View Replies]

To: George from New England
I wondered when this would hit FR ?

Give us a break, mate. Only posted about nineteen hours ago, and not all of us have net access 24/7. :)

12 posted on 04/08/2014 11:58:50 AM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the mooslimbs trying to kill them-)
[ Post Reply | Private Reply | To 5 | View Replies]

To: ImaGraftedBranch
This affects any machines that run these vulnerable versions of OpenSSL, including 'doze machines and maccompukers as well I would imagine. Note however that as usual it is the 'nix crowd that discovered this bug and patched it, with not a whimper from the MS pukes or macophiles. Macmachines run OS-X, I think, which is unix-based so they should really take a closer look at this.

I understand some gaming consoles also use some version of OpenSSL for online games and logins, but then again they along with the macs are primarily graphics boxen and obviously have little need for REAL computing and security.

13 posted on 04/08/2014 12:05:49 PM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the mooslimbs trying to kill them-)
[ Post Reply | Private Reply | To 6 | View Replies]

To: rarestia

True. It may not affect every machine out there, but for those of us with a need for good security especially businesses of any size this is a bug worth paying attention to.


14 posted on 04/08/2014 12:08:16 PM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the mooslimbs trying to kill them-)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Utilizer
Fedora 20 here:

OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013

Looks OK.

15 posted on 04/08/2014 12:08:22 PM PDT by zeugma (Don't cry because it's over, smile because it happened - Dr. Seuss (I'll see you again someday Hope))
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma
Reply to self... e comes before g, stoopid.
16 posted on 04/08/2014 12:11:05 PM PDT by zeugma (Don't cry because it's over, smile because it happened - Dr. Seuss (I'll see you again someday Hope))
[ Post Reply | Private Reply | To 15 | View Replies]

To: zeugma

*snicker* Thanks for the laugh, mate! *grin*


17 posted on 04/08/2014 12:20:59 PM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the mooslimbs trying to kill them-)
[ Post Reply | Private Reply | To 16 | View Replies]

To: Utilizer

Probably hackers have discovered a purposed NSA backdoor.


18 posted on 04/08/2014 12:42:22 PM PDT by Lazamataz (Early 2009 to 7/21/2013 - RIP my little girl Cathy. You were the best cat ever. You will be missed.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Utilizer

If you use OpenSSL to encrypt your data, you’re vulnerable. Period. I have 20 VMs in my home environment alone that I have to patch. Revoking and reassigning certificates is a nightmare. I think the worst part is not knowing: not knowing if any of my data was ever leaked. That’s what hurts the most.


19 posted on 04/08/2014 3:48:58 PM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 14 | View Replies]

To: Utilizer
*snicker* Thanks for the laugh, mate! *grin*

I'm just glad that I noticed my stupidity rather than some wag here. Hard to live that kind of thing down. :-)

20 posted on 04/08/2014 5:03:35 PM PDT by zeugma (Don't cry because it's over, smile because it happened - Dr. Seuss (I'll see you again someday Hope))
[ Post Reply | Private Reply | To 17 | View Replies]

To: zeugma
OpenSSH is not the same as OpenSSL. SSH is specifically for securing secure shell.

Fedora 20 wasn't on the list of affected distros, so you're probably fine.

If you want to run a check, this webpage is an excellent resource:

Heartbleed Test

Remember, even if your external domain name scanned clean, that doesn't mean that your internal security is safe.

21 posted on 04/08/2014 6:07:05 PM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 15 | View Replies]

To: Lazamataz

This is too glaring of a hole to be NSA. NSA is much more devious, going so far as to inject their own backdoors into core kernel components in the Windows, iOS, and Android operating systems. This is script-kiddie stuff but still big enough to be a major problem.


22 posted on 04/08/2014 6:08:36 PM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 18 | View Replies]

To: zeugma
True, but the way you did it was a class act. I got the distinct impression that even though you made a mistake, you readily acknowledged it and were ready to laugh about it if anyone else noticed it.

Far too many people are not so ready to admit to errors. You at the very least I found to be with your quick response able to bring a smile on. I too am never leery of learning from any mistake I make, so at your quick repost I was snickering along with you.

Good to get a smile and a laugh going sometimes.

And yes, I well know that others will be very quick to pile on when one does make a mistake, however I have never failed to accept constructive criticism as anything other than a learning experience. *grin*

Cheers!

23 posted on 04/08/2014 6:19:38 PM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the mooslimbs trying to kill them-)
[ Post Reply | Private Reply | To 20 | View Replies]

To: Utilizer

24 posted on 04/09/2014 4:02:28 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Utilizer
Thanks for the kind words. What is really bad though, is when one is acting as grammar/spelling nazi, and makes a really silly similar mistake in the reply. (yeah, guilty of same) Sometimes I do it, just to see if anyone is paying attention. :-)

FR is a great place, but you have to be willing to take a little good natured abuse. I saw some newbie get zotted the other day because he went ballistic on someone commenting on an unclear subject of his post. If he'd just responded with a "yeah, that wasn't as clear as it could be, what I meant was ..." Instead he got more and more nasty about it down thread, and people responded in kind. Eventually the mods zotted him for being an ass.

Maybe he'll learn from it, but somehow I doubt it.

25 posted on 04/09/2014 9:40:25 AM PDT by zeugma (Don't cry because it's over, smile because it happened - Dr. Seuss (I'll see you again someday Hope))
[ Post Reply | Private Reply | To 23 | View Replies]

To: rarestia
OpenSSH is not the same as OpenSSL. SSH is specifically for securing secure shell.

Yeah roger that. I realise they aren't the same, but openssh uses code from openssl (says so right in the version string). Gotta wonder if there aren't similar issues there. I'm sure folks are looking the potential to subvert ssh as well now. Paranoia with crypto software is a good thing. I'd prefer my ssh to be compiled against the 'g' code fix just to be sure.

26 posted on 04/09/2014 9:45:06 AM PDT by zeugma (Don't cry because it's over, smile because it happened - Dr. Seuss (I'll see you again someday Hope))
[ Post Reply | Private Reply | To 21 | View Replies]

To: zeugma

OpenSSH generates private keys for a hash and discards them, if I’m not mistaken. The problem with this vulnerability is that private keys can be compromised, thus making encryption worthless.


27 posted on 04/09/2014 10:35:35 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 26 | View Replies]

To: rarestia
Fedora 20 wasn't on the list of affected distros, so you're probably fine.

Nope

Where I work we run Redhat, CentOS and AIX for our UNIX servers. I'm responsible for the AIX portion and I've been testing a fix this morning. If you use openssl, and are running the affected versions, you are vulnerable no matter what flavor of OS you are running.

28 posted on 04/09/2014 10:44:40 AM PDT by BlueMondaySkipper (Involuntarily subsidizing the parasite class since 1981)
[ Post Reply | Private Reply | To 21 | View Replies]

To: BlueMondaySkipper

We’re a big RHEL shop here, but they use F5s for certificates along with VeriSign. Very little scuttlebutt this morning about it.


29 posted on 04/09/2014 10:47:38 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 28 | View Replies]

To: rarestia
OpenSSH generates private keys for a hash and discards them, if I’m not mistaken. The problem with this vulnerability is that private keys can be compromised, thus making encryption worthless.

Good to know. Yeah, the keys are regenerated, but they have a lifespan. I'm showing a default regeneration interval of 1H on my system, and that's about what I remember from looking at it in the past, so it's not that bad. The more I read on this, it sounds like the attack vector on this is such that it is likely the surface are of ssh is pretty small, if it exists at all. That makes me happy, but doesn't completely dispell my inborn paranoia. :-) I expect to see new ssh binaries in the pipeline soon enough. The folks who maintain ssh are pretty paranoid as well, so they'll likely take a close look at the fix first to make sure it doesn't break anything else. SSH is a critical utility.

30 posted on 04/09/2014 12:08:05 PM PDT by zeugma (Don't cry because it's over, smile because it happened - Dr. Seuss (I'll see you again someday Hope))
[ Post Reply | Private Reply | To 27 | View Replies]

To: zeugma

I only use the CLI for OpenSSH to generate login keys for my jump servers. This allows me to turn off password-based authentication and use certificates only. That reduces the chance of a successful brute force attack manifold.


31 posted on 04/10/2014 8:08:46 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 30 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson