SA sites vulnerable to massive security bug

Very scary. This is just the info that reaches the public.

Is this story linked to the story last week of the N S A planting weakened random generators into SSL connections?
 
The biggie is that some of the bigger mail providers are WIDE OPEN...

I've edited out the company + login + pass for security reasons, but its bad form by them not to patch and do so aggressively.

0030: 36 30 33 34 26 6C 6F 67 69 6E 3D 6E 67 68 74 6C 6034&login=xyz
0040: 69 67 68 74 26 70 61 73 73 77 64 3D 4D 6F 6C 6F &passwd=yzx
0050: 63 68 31 30 31 26 73 69 67 3D 4B 4E 39 4B 53 74 ch101&sig=KN9KSt
 
What a pathetic, sensationalist headline.

He noted that the bug only affects web servers using OpenSSL package, and only those using the newest versions of OpenSSL (1.0.1 and 1.0.2).

For this reason the majority of South African websites are not vulnerable as they use older version of OpenSSL (0.9.8), Louw said.
Click to expand...
 
And updated. I am now running openssl-devel-1.0.1e-16.el6_5.4.x86_64
 
mercurial said:
What a pathetic, sensationalist headline.
Click to expand...

Funny... you didn't quote the part of the article where we mention that there are a few high-profile sites that were affected. Just because the majority are unaffected doesn't mean there aren't some important ones that are affected.

For obvious reasons, the sites affected weren't disclosed while we give them time to respond to questions.
 
To understand the risk here, you would only be at risk if someone is sniffing and intercepting your data already with something like ettercap? So basically you would need to be on a compromised network with advanced sniffing or connecting to a compromised host running sniffing packages. Is this correct?
 
ghoti said:
To understand the risk here, you would only be at risk if someone is sniffing and intercepting your data already with something like ettercap? So basically you would need to be on a compromised network with advanced sniffing or connecting to a compromised host running sniffing packages. Is this correct?
Click to expand...

No, you can attack a network from outside. The risk is very high.

http://heartbleed.com/

What leaks in practice?

We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
Click to expand...
 
ghoti said:
And updated. I am now running openssl-devel-1.0.1e-16.el6_5.4.x86_64
Click to expand...

Which distro you on? Apparently 1.0.1g is the patch that fixes this.

ghoti said:
To understand the risk here, you would only be at risk if someone is sniffing and intercepting your data already with something like ettercap? So basically you would need to be on a compromised network with advanced sniffing or connecting to a compromised host running sniffing packages. Is this correct?
Click to expand...

Nope. Right now there are apparently a bunch of hackers exploiting this bug to extract usernames and passwords from Yahoo Mail, which has not been patched yet.

Essentially the bug lets you tell a server to send you 64k of its heap memory. The theory is that if you repeat the exploit enough you'll eventually get some kind of secret info from that server. Usernames and passwords, or even the private key used to sign its certificate.
 
Okay.

To fix this on cPanel servers just:

yum update

and then recompile apache with easyapache. Until I recompiled apache my web servers tested positive.
 
There is a number of ways to address this - either via patch (https://rhn.redhat.com/errata/RHSA-2014-0376.html - take note that the openssl versioning varies per distro - i.e. RHEL says openssl-1.0.1e) or recompiling openssl without heartbeat.

When looking at the impact, it is quite scary as it spawns Yahoo mail disclosing email credentials, AWS load-balancers being affected, most cloudservices and CDNs having issues and will probably go as far as online banking having leaked user credentials (remember the vulnerability leaks 64KB pages so whatever data is returned could include sensitive information). Also most firewalls, caching services and IPS/websecurity-appliances (ah the irony) use OpenSSL.

I am actually not quite sure if recycling certificates will actually help if an attacker has compromised the certificate/private keys and then impersonates the attacked website/service. Still no idea how the private key can be compromised as it would never reside on the server.
 
We have patched all ours and our clients systems. This is a scary exploit.
 
Is there any chatter about whether or not the "bug" was deliberately introduced to create an exploitable vulnerability?
 
MagicDude4Eva said:
There is a number of ways to address this - either via patch (https://rhn.redhat.com/errata/RHSA-2014-0376.html - take note that the openssl versioning varies per distro - i.e. RHEL says openssl-1.0.1e) or recompiling openssl without heartbeat.

When looking at the impact, it is quite scary as it spawns Yahoo mail disclosing email credentials, AWS load-balancers being affected, most cloudservices and CDNs having issues and will probably go as far as online banking having leaked user credentials (remember the vulnerability leaks 64KB pages so whatever data is returned could include sensitive information). Also most firewalls, caching services and IPS/websecurity-appliances (ah the irony) use OpenSSL.

I am actually not quite sure if recycling certificates will actually help if an attacker has compromised the certificate/private keys and then impersonates the attacked website/service. Still no idea how the private key can be compromised as it would never reside on the server.
Click to expand...

You need the key, the passphrase and the cert to start up an ssl server don't you? So all three are potentially in memory somewhere
 
mercurial said:
NSA?
Click to expand...

That was my first thought but the list of potential suspects would be quite long if there is any evidence that the bug was deliberately introduced. The fact that no trace is left when the exploit is used sounds very suspicious / all too convenient.
 
Jan said:
Funny... you didn't quote the part of the article where we mention that there are a few high-profile sites that were affected. Just because the majority are unaffected doesn't mean there aren't some important ones that are affected.

For obvious reasons, the sites affected weren't disclosed while we give them time to respond to questions.
Click to expand...

Jan, thread derail, forgive me...

/Off topic on

See, an 1890ish dobbelganger, look familiar?

2014-03-31 21.07.45.jpg

:p

/Off topic off

As you were...
 
I'd be interested to see a list of SA sites which are affected and how long it takes for them to fix the vulnerability.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X