Skip to comments.Serious OpenSSL bug renders websites wide open
Posted on 04/08/2014 11:13:55 AM PDT by Utilizer
A serious vulnerability in the popular OpenSSL cryptographic library has been discovered that allows attackers to steal information unnoticed.
Known as the Heartbleed bug, the vulnerability allows anyone on the Internet to read the memory of systems that run vulnerable versions of OpenSSL, revealing the secret authentication and encryption keys to protect the traffic. User names, passwords and the actual content of the communications can also be read.
OpenSSL recommends that uses immediately upgrade to version 1.0.1g. If that's not possible, users should recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag to remove the the heartbeat handshake. The 1.0.2 version of OpenSSL will be fixed with beta 2.
Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2 are all listed as vulnerable...
(Excerpt) Read more at itnews.com.au ...
You might be interested in this, mate.
Whoopsie. Thanks Utilizer.
Thanks for posting this.
I wondered when this would hit FR ?
“Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2 are all listed as vulnerable...”
It’s those pesky windows machines again....
UGH! This SUCKS! I’ve got to recompile my SSL CAs due to this. I doubt it’s a big problem, but it’s a PITA.
FWIW, many large businesses use OpenSSL for certificate services. It’s inherently more secure than Windows ADCS, but it’s a bear to manage. You’d be surprised how ubiquitous this software truly is.
Welcome, mate. We need to look out for one another after all.
No worries. Hope it helps many.
Give us a break, mate. Only posted about nineteen hours ago, and not all of us have net access 24/7. :)
I understand some gaming consoles also use some version of OpenSSL for online games and logins, but then again they along with the macs are primarily graphics boxen and obviously have little need for REAL computing and security.
True. It may not affect every machine out there, but for those of us with a need for good security especially businesses of any size this is a bug worth paying attention to.
OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
*snicker* Thanks for the laugh, mate! *grin*
Probably hackers have discovered a purposed NSA backdoor.
If you use OpenSSL to encrypt your data, you’re vulnerable. Period. I have 20 VMs in my home environment alone that I have to patch. Revoking and reassigning certificates is a nightmare. I think the worst part is not knowing: not knowing if any of my data was ever leaked. That’s what hurts the most.
I'm just glad that I noticed my stupidity rather than some wag here. Hard to live that kind of thing down. :-)
Fedora 20 wasn't on the list of affected distros, so you're probably fine.
If you want to run a check, this webpage is an excellent resource:
Remember, even if your external domain name scanned clean, that doesn't mean that your internal security is safe.
This is too glaring of a hole to be NSA. NSA is much more devious, going so far as to inject their own backdoors into core kernel components in the Windows, iOS, and Android operating systems. This is script-kiddie stuff but still big enough to be a major problem.
Far too many people are not so ready to admit to errors. You at the very least I found to be with your quick response able to bring a smile on. I too am never leery of learning from any mistake I make, so at your quick repost I was snickering along with you.
Good to get a smile and a laugh going sometimes.
And yes, I well know that others will be very quick to pile on when one does make a mistake, however I have never failed to accept constructive criticism as anything other than a learning experience. *grin*
FR is a great place, but you have to be willing to take a little good natured abuse. I saw some newbie get zotted the other day because he went ballistic on someone commenting on an unclear subject of his post. If he'd just responded with a "yeah, that wasn't as clear as it could be, what I meant was ..." Instead he got more and more nasty about it down thread, and people responded in kind. Eventually the mods zotted him for being an ass.
Maybe he'll learn from it, but somehow I doubt it.
Yeah roger that. I realise they aren't the same, but openssh uses code from openssl (says so right in the version string). Gotta wonder if there aren't similar issues there. I'm sure folks are looking the potential to subvert ssh as well now. Paranoia with crypto software is a good thing. I'd prefer my ssh to be compiled against the 'g' code fix just to be sure.
OpenSSH generates private keys for a hash and discards them, if I’m not mistaken. The problem with this vulnerability is that private keys can be compromised, thus making encryption worthless.
Where I work we run Redhat, CentOS and AIX for our UNIX servers. I'm responsible for the AIX portion and I've been testing a fix this morning. If you use openssl, and are running the affected versions, you are vulnerable no matter what flavor of OS you are running.
We’re a big RHEL shop here, but they use F5s for certificates along with VeriSign. Very little scuttlebutt this morning about it.
Good to know. Yeah, the keys are regenerated, but they have a lifespan. I'm showing a default regeneration interval of 1H on my system, and that's about what I remember from looking at it in the past, so it's not that bad. The more I read on this, it sounds like the attack vector on this is such that it is likely the surface are of ssh is pretty small, if it exists at all. That makes me happy, but doesn't completely dispell my inborn paranoia. :-) I expect to see new ssh binaries in the pipeline soon enough. The folks who maintain ssh are pretty paranoid as well, so they'll likely take a close look at the fix first to make sure it doesn't break anything else. SSH is a critical utility.
I only use the CLI for OpenSSH to generate login keys for my jump servers. This allows me to turn off password-based authentication and use certificates only. That reduces the chance of a successful brute force attack manifold.