The Heartbleed bug

Any other tech-related topics
Post Reply
Message
Author
User avatar
SYSTEM
Posts: 2041
Joined: Sat Jul 31, 2010 1:19 am
Location: Helsinki, Finland

The Heartbleed bug

#1 Post by SYSTEM »

http://heartbleed.com/

The Heartbleed bug in the very popular OpenSSL crypto library allows an attacker to read memory of a server that uses OpenSSL's TLS or SSL implementation.

Web browsers are not affected because they don't use OpenSSL's TLS/SSL implementations. However, web servers often do, and the Heartbleed bug allows an attacker to get the private key of the server. If the attacker is able to listen to encrypted traffic between you and the server, he/she can decrypt it with the private key. Worse, if he/she has ever been able to listen to encrypted traffic, he/she can now decrypt it retroactively. In other words: this is one of the worst security bugs ever. :cry:
My YouTube channel | Release date of my 13th playlist: August 24, 2020


User avatar
Midas
Posts: 6705
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: The Heartbleed bug

#3 Post by Midas »

:shock: Quick note on scope...
  • [url]http://heartbleed.com/[/url] author wrote:What versions of the OpenSSL are affected?

    Status of different versions:

    [*]OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
    [*]OpenSSL 1.0.1g is NOT vulnerable
    [*]OpenSSL 1.0.0 branch is NOT vulnerable
    [*]OpenSSL 0.9.8 branch is NOT vulnerable

    Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

User avatar
Craunch
Posts: 54
Joined: Tue Jul 03, 2012 5:27 am
Location: UK

Re: The Heartbleed bug

#4 Post by Craunch »

A major problem is knowing who and what has been using one of the vulnerable versions of OpenSSL. Potentially everyone from your bank to your online password manager such as LastPass and everything from your ISP to your router to your computer to your television could be affected.

Whilst it would seem to be a good idea to change all your passwords immediately, that could well be pointless gesture until the problem has been corrected at both ends: that is the devices you use to login with and the things that you login to.

One small bit of good news in all this is that SkyNews reports that
Google, Microsoft, Twitter, Facebook and Dropbox are understood to be unaffected
. I really wish that list were a lot longer!

User avatar
joby_toss
Posts: 2970
Joined: Sat Feb 09, 2008 9:57 am
Location: Romania
Contact:

Re: The Heartbleed bug

#5 Post by joby_toss »

I don't fully understand the implications of this security bug, but I checked all my apps for vulnerable libraries.
These is the resulting list:

Back4sure
HTTrack
KVIrc
PChat
POPPeeper
QupZilla
Trillian
xVideoServiceThief
LibreOffice

Out of all these only POPPeeper gives me the chills as I'm using it daily for checking multiple mail accounts. Should I be worried?

User avatar
Andrew Lee
Posts: 3048
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: The Heartbleed bug

#6 Post by Andrew Lee »

I think it only affects certain web servers (apache, nginx) with HTTPS enabled. It does not affected web servers that do not have HTTPS enabled. It does not affected SSH. I think there is zero impact at the user app level.

To check if your favorite websites still have this bug, use:

https://lastpass.com/heartbleed/

Basically, the advice is to change your passwords for those websites that might be affected.

This tricky thing is some apps use HTTPS to access web APIs at the backend, and they may pass along sensitive information through the APIs. In such cases, it would be difficult to identify all those apps (especially mobile apps).

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: The Heartbleed bug

#7 Post by webfork »

joby wrote:I checked all my apps for vulnerable libraries. These is the resulting list...
I understand it the only thing that's vulnerable to the Heartbleed bug is server software since the attack involves sniffing traffic to a server. I'll follow up on this but I think the only entry in our database that needs updating based on this vulnerability is XAMPP, which was just updated:
What's New in This Release:

Updated OpenSSL to 1.0.1g
Updated Apache to 2.4.9
Updated PHP to 5.4.27
phpMyAdmin 4.1.12
http://www.softpedia.com/get/PORTABLE-S ... AMPP.shtml

User avatar
SYSTEM
Posts: 2041
Joined: Sat Jul 31, 2010 1:19 am
Location: Helsinki, Finland

Re: The Heartbleed bug

#8 Post by SYSTEM »

webfork wrote: I understand it the only thing that's vulnerable to the Heartbleed bug is server software since the attack involves sniffing traffic to a server.
Client software is also vulnerable if it uses OpenSSL's TLS/SSL implementation. In that case the server can send a maliciously crafted heartbeat message to read memory of the client.
My YouTube channel | Release date of my 13th playlist: August 24, 2020

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: The Heartbleed bug

#9 Post by webfork »

SYSTEM wrote:Client software is also vulnerable if it uses OpenSSL's TLS/SSL implementation. In that case the server can send a maliciously crafted heartbeat message to read memory of the client.
Interesting. Well, here's adding to Joby's list. I don't have data on which of these have or have not been updated, just the presence of the OpenSSL library (libeay32.dll):
  • 7-PDF Maker
    Actionaz
    Calibre
    Eagleget
    LinkChecker
    MSDOrganizer
    Portable Cobian
    PortableApps Launcher
    VYM
    WackGet
    VideoServiceThief
    Brosix
    EssentialPIM
    PicPick
    PSPad
    Rainlendar
    ResophNotes
    Sylpheed

User avatar
SYSTEM
Posts: 2041
Joined: Sat Jul 31, 2010 1:19 am
Location: Helsinki, Finland

Re: The Heartbleed bug

#10 Post by SYSTEM »

My YouTube channel | Release date of my 13th playlist: August 24, 2020

User avatar
Midas
Posts: 6705
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: The Heartbleed bug

#11 Post by Midas »

SYSTEM wrote:OpenBSD developers forked OpenSSL: http://www.bit-tech.net/news/bits/2014/04/23/libressl/1

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: The Heartbleed bug

#12 Post by webfork »

In all the news about heartbleed, I was pleased to see this:

"Historically, RHEL (and by definition, CentOS) have been somewhat maligned for using older versions of many packages. You'll find that the kernels and many core service packages are usually a year behind current, though many have backported patches for security issues. This is why RHEL 6.4, released over a year ago in February 2013, shipped an OpenSSL version that was even a year older -- and not vulnerable to Heartbleed."

http://www.infoworld.com/d/data-center/ ... 0?page=0,1

Kudos to Redhat.

Also, for anyone that missed it, there's a plan to do two things I'm really in favor of: fund open source infrastructure projects and help projects everyone really relies on get plenty of attention (CII).

User avatar
I am Baas
Posts: 4150
Joined: Thu Aug 07, 2008 4:51 am

Re: The Heartbleed bug

#13 Post by I am Baas »

Heartbleed Scanner
easily scan your Intranet SSL websites, OpenSSL VPNs, Secure FTP servers, Databases, Secure SMTP/POP/IMAP email servers, routers, printers, phones, and anything else that may have been compiled with OpenSSL 1.0.1-1.0.1f.
http://www.crowdstrike.com/blog/new-com ... index.html

Image


Dl @ http://download.crowdstrike.com/heartbl ... canner.zip

Post Reply