D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability

 

On 08/04/14 16:18, Martijn Grooten wrote:

> Not sure how much more evidence you want than the screenshot in the
> Fox-IT blog post. Others have reported the same. It's probably harder if
> you are looking for specific data, but still. A lot of very bad things
> can be done with random secret data.

Gah... that was entirely my fault: between noscript and request-policy,
I hadn't seen it (it wasn't loading) on the page. Had to enable some
blogger* cross domain requests and up it popped. Sorry about that.

> "Updated my post to include info about sbrk and mmap. I'm not longer
> skeptical about #Heartbleed sec key leakage. It could happen! Update!"

Oh dear, I hadn't seen that either. Fair enough, I think you've
convinced me that my earlier self-assurance about reasonable doubt for
extraordinary claims was a bit too optimistic after all. I've done most
of the work and mitigation already but am going to have to stay right on
my toes for the next few days, and probably then some, looking for
issues. As you've said, swiping more arbitrary data from affected
servers is looking more and more reliable. I'd still like someone
*really* in a position to know to clarify to the world exactly which
subsystems on which versions of which OS are vulnerable - we know
OpenBSD SSH doesn't link against OpenSSL so is safe, but ldd and strings
on various linux distros against SSH components is much less clear.

For the moment there's not a lot I can do about it as there's no rest
for the wicked: 10 minutes into my nap I was woken up and reminded that
it's now Patch Tuesday and I have a bunch of Windows boxes to worry
about instead.

What a day.

Regards

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq