1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

Heartbleed SSL exploit [CVE-2014-0160]

Discussion in 'Business & Enterprise Computing' started by HeXa, Apr 9, 2014.

  1. scrantic

    scrantic Member

    Joined:
    Apr 8, 2002
    Messages:
    1,780
    Location:
    3350
  2. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    68,463
    Location:
    brisbane
    turns out they didn't give a shit, no response to a PM to a moderator so I made a thread on their site hopefully that gets their attention.

    for those interested it's LS1.com.au

    even if no key leaked credentials are, so it's small comfort.
     
    Last edited: Apr 10, 2014
  3. scrantic

    scrantic Member

    Joined:
    Apr 8, 2002
    Messages:
    1,780
    Location:
    3350
    But doesn't this mean that the need for revocation & reissuing of certificates wouldn't be required?

    I appreciate that confidential information will be leaked.
     
  4. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    68,463
    Location:
    brisbane
    If I was exposed I know what I'd be doing.

    http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html

    some great info for lastpass users, they also have an additional checker which shows if a site recently updated it's cert.

    https://lastpass.com/heartbleed/
     
    Last edited: Apr 10, 2014
  5. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,647
    Location:
    Brisbane
    Even that post says that you *can* leak your private key (highlighting that the best chance for this is RIGHT after a reboot) - why the hell would you risk it?

    You simply cannot know if its out or not - and thus you *must* assume that it has been leaked.
     
  6. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    I trust nobody.
    Someone is in your RAMz Lookin at ur Memoriez.


    Its like Inception.

    Leonardo Dicaprio is in your head, going through your memories.
    Theres a non-zero chance that he has seen your bank PIN.

    Do you change it?
     
  7. cbb1935

    cbb1935 Guest

    Anyone using LiquidFiles would have got an email yesterday telling them to upgrade the certificates due to Heartbleed.

    ...

    Yet on the flipside, Sonicwalls SonicOS does not appear affected.
     
  8. elvis

    elvis OCAU's most famous and arrogant know-it-all

    Joined:
    Jun 27, 2001
    Messages:
    46,805
    Location:
    Brisbane
    None of our sites are affected, thankfully.

    Patching was handled automagically on all systems.

    We're in the clear for this one.
     
  9. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,046
    Location:
    Brisbane
    It definitely makes me wonder if this was part of the attack suite the NSA alluded to having for decrypting SSL traffic.

    Regardless, that massive cache of encrypted data they snooped probably isn't encrypted now!
     
  10. kogi

    kogi Member

    Joined:
    Jan 23, 2003
    Messages:
    5,129
    Location:
    2031
    Whew. Dodged it. Centos5 ftw
     
  11. Swathe

    Swathe (Banned or Deleted)

    Joined:
    Mar 23, 2007
    Messages:
    2,508
    Location:
    Rockhampton
    The SANS institute are doing a webinar atm but it was too full so I couldn't get in but watching some live tweets. Apparently there are some patches for nginx now that can log attacks but not sure if it can detect attacks prior to patching.
     
  12. OP
    OP
    HeXa

    HeXa Member

    Joined:
    Jul 7, 2001
    Messages:
    10,211
    Location:
    Canberra, ACT
    so you were vulnerable for months but now you aren't?

    not sure if that is "in the clear" :p
     
  13. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,647
    Location:
    Brisbane
  14. BistecConBigote

    BistecConBigote Member

    Joined:
    Jun 21, 2013
    Messages:
    134
    I originally posted this here, but doesn't seem to be getting any attention. Is there a list of affected routers running OpenSSL? I know that some builds of both DD-WRT and Tomato firmware have been confirmed affected. How about specific brands using proprietary firmware?
     
  15. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,046
    Location:
    Brisbane
  16. Luke212

    Luke212 Member

    Joined:
    Feb 26, 2003
    Messages:
    10,277
    Location:
    Sydney
    this is fucking annoying.
     
  17. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    For the average content consumer on news.com.au, any one of the myriad of windows remote execution bugs (back when most machines were directly connected to the net, not behind Nat) would have been far more relevant, but very few of those get articles on them (unless they have a cool name like Slammer or Code Red).

    Actually, thats probably the reason this is getting mainstream coverage... its got a cool name. If it had been

    CVE02014-0160 - Memory Exposure via OpenSSL HeartBeat it probably wouldn't have been worth writing about.
     
  18. Iceman

    Iceman Member

    Joined:
    Jun 27, 2001
    Messages:
    6,647
    Location:
    Brisbane (nth), Australia
    I understand the impact. I was having a lighthearted dig at what pablo referenced below. "Back in the day" shortly post the winnuke era the common wisdom changed to "Windows - always behind a NAT but your linux server can hang out on the net all it likes" and this has survived virtually to this day.

    Now this might cause people to rethink how much they host on a single box that is exposed to the net. For example, if your vulnerable box was solely a bastion VPN end point with no local auth db, your level of exposure is limited to what's in the vulnerable portion of the memory of that server alone - which is mostly just VPN traffic.

    Conversely if your "super secure" vpn end point also hosted your radius db, web server / openvpn SSL cert's, was also your file server etc.. then the amount of data that can be exposed by this bug skyrockets.

    That's true, but "not behind a NAT" was a very long time ago, even in the dial-up days people were using wingate (bless their insecure hearts/curse their LAN ruining DHCP serving ignorant arses).
     
  19. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,046
    Location:
    Brisbane
    I see the risk from this being more around the average content consumers details on websites being exposed.
     
  20. elvis

    elvis OCAU's most famous and arrogant know-it-all

    Joined:
    Jun 27, 2001
    Messages:
    46,805
    Location:
    Brisbane
    We weren't vulnerable pre-patch. (Tested old versions/snapshots in VMs).
     

Share This Page

Advertisement: