D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability

 

On 08/04/14 14:52, Martijn Grooten wrote:

> Obviously, PFS is a particularly good idea, but isn't that only
> necessary against powerful adversaries? This vulnerability means that
> anyone can potentially steal any information stored in memory on your
> server running OpenSSL.

You're missing the point - by far the biggest issue with this bug is
"OMG the attacker has compromised my cert"... with PFS you don't care,
it was only valid for that session anyway and then it's tossed out. As
compared to a non-PFS SSL/TLS server, when you've scored their cert with
this attack they are well and truly done for.

> Yahoo login details?

Still haven't seen any evidence of this yet, although it's definitely
technically possible. Still relies on battering the vulnerable server,
trying to read random <64k offsets from the TLS linked process and just
hoping you get enough bits to assemble something useful out of it. All
of which without the usual IDS etc stuff any sensible admin (I know, I
know... there aren't many of them out there) would have set up
triggering or the process crashing. PoC or it didn't happen (I do expect
this to turn up before too long, quite possibly on the Rapid7 site as
Metasploit module within 24 hours).

> I don't think the flaw has been widely known for long enough for attacks
> to have been automated. And there are many millions of vulnerable
> servers. So I think it's normal that a few honeypots haven't been
> compromised. And it might take a while. And perhaps they've only
> obtained the private keys and haven't done anything to them.

That's fair enough, although our honeypots are pretty high visibility
and don't seem to have much trouble attracting most other miscreant
attack avenues within days of it being available - this apparently has
been out there for months/years depending on OS and how aggressively it
updates SSL. As honeypots, it's very difficult to do anything on them
without us noticing - they're VM's obviously with all paths in and out
by neccessity travelling over our SDN paths complete with full traffic
sniffing. But still a fair point.

>> One of my friends emailed earlier from the depths of his server room:
>> "Thank god I don't run Linux on any of my machines any more: I'm so glad
>> I switched them all to Windows XP today!"
> 
> :-)

Yeah, I thought that was pretty good too :]

Brilliant timing for all the well-intentioned out there that have been
persuading reluctant hold-outs to upgrade to Linux (much better
security, you'll love it!) from XP... Literally the same day XP retires
the world of *nix cops (another) really bad one.

Tangential, but obviously related:

http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/002_openssl.patch.sig

The OpenBSD guys as usual are largely mitigated against this as they
don't link to libraries in such a random haphazard fashion as Linux
does. From the link:

"Only SSL/TLS services are affected.  Software that uses libcrypto alone
is not affected.  In particular, ssh/sshd are not affected and there
is no need to regenerate SSH host keys that have not otherwise been
exposed."

This made me very happy because I use OpenBSD for all my network
edge/control boxes and a lot of the http serving where possible, so at
least they weren't much of a headache. Theo et al are presumably
gloating somewhere.

Regards

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq