Trivial to exploit, does not require attacker to be in the middle,
dump raw memory from a remote server, not detectable at the SSL server
level (but can be detected by Snort now):
http://vrt-blog.snort.org/2014/04/heartbleed-memory-disclosure-upgrade.html
For a lot of folks, since the OpenSSL that comes with your base OS is
often pretty entwined in stuff and harder to upgrade, being older
(before March 2012) might be a blessing.
I believe that the Ubuntu and/or Debian patches simply disable support
for heartbeat, which I've heard may affect SChannel-using Win32 users,
so take that with a grain of salt.
And the bug was introduced in 1.0.1 in March 2012. It's hard to say
who else knew about it, for how long.
Here's the CVE:
http://www.us-cert.gov/ncas/alerts/TA14-098A
... and this StackExchange thread has some good info:
One of the original researchers says that it's unlikely that private
keys would be disclosed, but I would err on the side of caution.
After it's patched, I would change passwords, reissue certs, terminate
any existing sessions, etc.
Really, really bad.
On Tue, Apr 8, 2014 at 1:31 PM, Leif Sawyer <lsawyer@gci.com> wrote:
> I hope everybody is busy using
>
> http://filippo.io/Heartbleed/
>
> or
>
> https://www.ssllabs.com/ssltest/index.html
>
>
> to scan their (https-enabled) websites for vulnerability to the Heartbleed SSL risk.
>
>
> It's amazing what you find when you scan local provider websites...
>
> acs
> mta
> gci
>
> interesting....
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Apr 8 14:04:29 2014
This archive was generated by hypermail 2.1.8 : Tue Apr 08 2014 - 14:04:29 AKDT