Makoto Posted April 9, 2014 Posted April 9, 2014 Sorry for the ALL CAPS :frantics: title, but this is an important issue all server admins here need to be aware of. This is a warning of a major vulnerability in all versions of OpenSSL 1.0.1 to OpenSSL 1.0.1f - chances are, you are running a version of OpenSSL vulnerable to this exploit. For more information, please see this page: http://heartbleed.com/ Please immediately update any servers you are running to the latest release of OpenSSL. You should receive a notice on upgrading that the upgrade you are using addresses a major vulnerability, and it will prompt you to restart all services that rely on OpenSSL in any way. If you can, a complete server restart is recommended after upgrading.
p4guru Posted April 9, 2014 Posted April 9, 2014 +1 more info at http://www.webhostingtalk.com/showthread.php?t=1364373
Aussie Cable Posted April 9, 2014 Posted April 9, 2014 Appreciate the post, I have update all my servers, thanks Kirito for posting this.
Makoto Posted April 9, 2014 Author Posted April 9, 2014 It's also being recommended you reissue any SSL certificates you're using.You can usually do this for free through your registrar or CA directly.
Clover13 Posted April 9, 2014 Posted April 9, 2014 I asked my web host about this...here was their response. It might be late and I'm not making sense of it...but in the first part they say the current version on their servers is 1.0.1e and vulnerable. Then in the next they say they built an update and installed it on all servers. And then they showed me the timestamp of the build output (but not the actual version)? Hello,The current version of OpenSSL on our servers is 1.0.1e, which is listed as vulnerable. However, the Debian OpenSSL package maintainers have already released an updated version, referred to as 1.0.1e-2+deb7u6 in their repositories. This version no longer contains the vulnerability; it was built yesterday, and has since already been installed on all of our servers by our system administrators. This can be confirmed with output of the following command: [00:49:14] xxx~$ openssl version -b built on: Tue Apr 8 10:05:11 UTC 2014 Thus, we can confirm that all actions have been taken to ensure that your account's data is not vulnerable. Please let us know if we ca help you further.Best regards,Support And also, are any of you publishing anything to your membership regarding this issue and perhaps recommending a password change once the patch is applied? I figure most of my users will have no clue what this even means, but they can at least make sense of it being a good idea to update their passwords (understanding they may be compromised).
Aiwa Posted April 9, 2014 Posted April 9, 2014 If your host says you're patched, I'm sure you're patched.
Aussie Cable Posted April 9, 2014 Posted April 9, 2014 I asked my web host about this...here was their response. It might be late and I'm not making sense of it...but in the first part they say the current version on their servers is 1.0.1e and vulnerable. Then in the next they say they built an update and installed it on all servers. And then they showed me the timestamp of the build output (but not the actual version)? I can confirm that my version is (on one of my patched machines): # openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 and the build date is: # openssl version -b built on: Tue Apr 8 02:39:29 UTC 2014 The version is the same as the vulnerability reported, but the build date is the 8th April 2014 which has been patched with the handshake removed from the code by compile time option: -DOPENSSL_NO_HEARTBEATS This confirms that the vulnerability has been patched (with the above option enabled). I would suspect if the build date is before 8th April 2014, it will still have the vulnerability, hence your version is patched.
Clover13 Posted April 9, 2014 Posted April 9, 2014 Thanks! How about how you guys are handling notification to your site membership?
Aussie Cable Posted April 9, 2014 Posted April 9, 2014 Thanks! How about how you guys are handling notification to your site membership? Your welcome :thumbsup: I am not exactly sure what you mean about notifications? Help me understand.
Clover13 Posted April 9, 2014 Posted April 9, 2014 Do you intend on informing your IPS (or other) site's membership about the exploit and potential for compromise of their passwords and recommend changing them?
Aussie Cable Posted April 9, 2014 Posted April 9, 2014 Do you intend on informing your IPS (or other) site's membership about the exploit and potential for compromise of their passwords and recommend changing them? I do yes.
Grumpy Posted April 9, 2014 Posted April 9, 2014 It might be late and I'm not making sense of it...but in the first part they say the current version on their servers is 1.0.1e and vulnerable. The exact version number on your system kind of depends on the package maintainers. For example, under RHEL, the fix is the 1.0.1e-16.el6_5.7 Edit: the vulnerable was 1.0.1e-16.el6_5.4
Grumpy Posted April 9, 2014 Posted April 9, 2014 I can't help but feel quite angry at heartbleed.com. codenomicon basically made a huge publicity stunt at the cost of potentially compromising millions of servers that are running openssl 1.0.1. And they sell security? I'm clearly never buying from them. They came up with a marketable name like heartbleed and make a site for a single vulnerability. And then they don't even bother telling any of the linux distros that this vulnerability exists. Yet, for some odd reason... they decided to inform cloudflare and no one else. It's not like the biggest datacenter or cloud services like amazon came to know this ahead of time. Just cloudflare. Why? And then they go public with this announcement. And naturally, cloudflare keys on the opportunity as well saying how awesome they are for patching things before it went public. Great, now more people know about the vulnerability that no one even had the chance to patch yet. AFTER it went public, linux distros are in a scurry trying to patch this thing asap. Now sys admins all over the world are in a scurry to patch it. Seriously, WTF. That's NOT how you handle a vulnerability.
Makoto Posted April 9, 2014 Author Posted April 9, 2014 Did they not even inform OpenSSL of the vulnerability? I haven't bothered to read into that aspect at all. I can understand being angry about that though.
Grumpy Posted April 9, 2014 Posted April 9, 2014 openssl got informed 2 days prior to announcement. cloudflare says they were informed a week before. rhel/centos/debian/etc. wasn't informed until after the public announcement. Like on RHEL -----Reported: 2014-04-07 01:56 EDT----- As soon as openssl made the patch, heartbleed/cloudflare basically went around saying look here! a problem! and we're awesome! Yet, at a stage where you can't even apply it unless you build it yourself. To me, it's an obvious marketing attempt. Like, since when did we even name bugs? Since when do they get websites?
Makoto Posted April 9, 2014 Author Posted April 9, 2014 Yeah, I agree with you. I only threw a link to the website in my post because it seemed to offer the most comprehensive overview of the actual vulnerability at the time. I wasn't aware of all that. I'd edit my post to include a different source on principle if I could, but I can't edit it any more.
Ichirō Posted April 9, 2014 Posted April 9, 2014 Test you server for vunerability to CVE-2014-0160 here http://filippo.io/Heartbleed/
p4guru Posted April 9, 2014 Posted April 9, 2014 looks like OpenSSL folks maybe ones at fault not Cloudflare http://www.webhostingtalk.com/showpost.php?p=9076791&postcount=70 ?
Grumpy Posted April 9, 2014 Posted April 9, 2014 looks like OpenSSL folks maybe ones at fault not Cloudflare http://www.webhostingtalk.com/showpost.php?p=9076791&postcount=70 ? I'm not saying cloudflare is the problem, it's that they're making a bad situation worse by making their announcement so fast. I wasn't aware of all that. I'd edit my post to include a different source on principle if I could, but I can't edit it any more. Well, it's pretty much the only comprehensive source. That's why it's such great marketing for them.
Dmacleo Posted April 9, 2014 Posted April 9, 2014 The exact version number on your system kind of depends on the package maintainers. For example, under RHEL, the fix is the 1.0.1e-16.el6_5.7 Edit: the vulnerable was 1.0.1e-16.el6_5.4 yeah them (and of course centos) keeping it as e threw me for a moment until I caught the build number.
Aussie Cable Posted April 10, 2014 Posted April 10, 2014 http://www.bbc.co.uk/news/technology-26954540 Very interesting and scary article if you think about it, thanks very much for sharing :thumbsup: If this is the case and this vulnerability has been put to use for over two years, then we may have a very big problem, and to top that off, identity fraud (or even regular internet banking/ebay/paypal etc) would look legit. I think it maybe time to go through my own bank statements for the past 2 years. Very scary indeed :cry:
Clover13 Posted April 10, 2014 Posted April 10, 2014 I've noticed a lot of hacked accounts wind up being Yahoo based...wonder if it was from leveraging this exploit?
Aiwa Posted April 10, 2014 Posted April 10, 2014 Mashable, or someone, got in contact with some of the major providers and got their feedback about their implementations. http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
Recommended Posts
Archived
This topic is now archived and is closed to further replies.