08-04-2014, 08:38 #1
OpenSSL 'Heartbleed' critical vulnerability affecting 70% of the Internet
OpenSSL 'Heartbleed' vulnerability lets attackers spy on secure Web traffic
A serious flaw in the implementation of OpenSSL, a fundamental security measure used by millions of websites, could expose sensitive information to attackers, including private messages, login credentials and credit card details. The vulnerability, officially tagged CVE-2014-0160 but also known as "Heartbleed", potentially allows attackers to retrieve entire OpenSSL decryption keys from an affected server, allowing them to decrypt secure communications without leaving any sign of brute-force intrusion.
In addition to stealing names, passwords, and message contents, attackers could also disguise themselves as legitimate users, thus eavesdropping and stealing all data flowing in and out of a vulnerable service.
The flaw is not in the encryption method itself, but rather in the way the OpenSSL implementation manages memory. If an attacker sends a deliberately malformed request to the server, it automatically responds with up to 64kB of data that might contain sensitive information.
The problem was known internally and a fix was being prepared, but security firm CloudFlare published information about it before the fix was ready for general release, in an attempt to promote a fix for their own OpenSSL implementation. Web administrators who rely on OpenSSL might not have time to apply the fix before attackers decide to put the flaw into practice.
OpenSSL versions 1.01 and 1.02 beta are affected. Administrators running 1.01f or earlier are advised to upgrade to 1.01g. A 1.02 beta 2 release will fix the vulnerability in the beta channel, when it is released. Security firm Codeomnicon estimates that at least 66 percent of active sites on the Internet could be affected, in addition to a massive number of email, instant message, virtual private network and various other services.
There is no known evidence of a successful attack on any person or organisation due to the Heartbleed vulnerability.
08-04-2014, 08:40 #2
Researchers have discovered an extremely dangerous bug in the cryptographic software library used by about two thirds of the world’s web servers. The bug allows anyone who wants to exploit this security crack to gain access to passwords, financial data, and anything else that may be hidden behind encryption.
The bug in OpenSSL could also expose the cryptographic keys and private communications for a lot of important sites and services on the Internet. It is advisable that if you’re running a server with OpenSSL 1.0.1 through 1.0.1f to update to OpenSSL 1.0.1g immediately, as the fix has already been completed.
While versions of OpenSSL prior to version 1.0.1. are unaffected, the bug has still been around for about two years before being discovered, more specifically since March 2012.
The bug is officially being referred to as CVE-2014-0160, but has been named Hearbleed because it is located in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension.
Heartbleed Bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL without ever leaving a trace on the servers.
“We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication,” reads a website dedicated to the bug.
Considering the long exposure and the ease of exploitation, as well as the fact that no one has any idea if there have been any attacks due to the fact that there are no traces to be left, this bug becomes an extremely dangerous one.
While other bugs have been fixed by various updates, this one has remained undetected until Neel Mehta from Google Security discovered it, along with security firm Codenomicon.
A patch for the bug has already been made available, but many users of the protocol may take a while before rolling it out, leaving users exposed. If hackers did not known about the issues beforehand, they certainly do now.
“OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services,” the team warns.
In fact, since most notable pieces of software using OpenSSL are the open source web servers such as Apache or nginx, which have a market share of 66 percent of all active sites on the Internet, this is perhaps one of the most widespread bugs affecting security at such a level.
08-04-2014, 08:42 #3
'Heartbleed' bug in OpenSSL puts encrypted communications at risk
Computer security experts are advising administrators to patch a severe flaw in a software library used by millions of websites to encrypt sensitive communications.
The flaw, nicknamed “Heartbleed,” is contained in several versions of OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption. Most websites use either SSL or TLS, which is indicated in browsers with a padlock symbol.
The flaw, which was introduced in December 2011, has been fixed in OpenSSL 1.0.1g, which was released on Monday.
The vulnerable versions of OpenSSL are 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8, according to a special website set up by researchers who found the problem.
If exploited, the flaw could allow attackers to monitor all information passed between a user and a Web service or even decrypt past traffic they’ve collected.
“This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users,” the researchers wrote.
The bug was discovered by three researchers from Codenomicon, a computer security company, and Neel Mehta, who works on security for Google.
The scope of the problem is vast, as many modern operating systems are suspected as having an affected OpenSSL version.
Operating systems that may have a vulnerable version of OpenSSL include Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2, they wrote.
The “oldstable” versions of Debian Squeeze and Suse Linux Enterprise Server are not vulnerable.
OpenSSL also underpins two of the most widely used Web servers, Apache and nginx. The code library is also used to protect email servers, chat servers, virtual private networks and other networking appliances, they wrote.
The problem, CVE-2014-0160, is a missing bounds check in the handling of the TLS heartbeat extension, which can then be used to view 64K of memory on a connected server, according to another advisory.
It allows attackers to obtain the private keys used to encrypt traffic. With those keys, it is also possible for attackers to decrypt traffic they’ve collected in the past.
The attackers can only access 64K of memory during one iteration of the attack, but the attackers can “keep reconnecting or during an active TLS connection keep requesting arbitrary number of 64 kilobyte chunks of memory content until enough secrets are revealed,” according to the website.
It’s unclear if attackers have been exploiting the flaw over the last two years, which was just publicly revealed on Monday. But attacks using the flaw “leaves no traces of anything abnormal happening to the logs,” the researchers wrote.
Administrators are advised to apply the up-to-date version of SSL, revoke any compromised keys and reissue new keys.
08-04-2014, 09:43 #4
The Heartbleed Bug
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
What leaks in practice?
We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
Mais informações: http://heartbleed.com/
Última edição por 5ms; 08-04-2014 às 09:54.
08-04-2014, 09:57 #5
08-04-2014, 10:04 #6
Debian já liberou.
Um provedor me enviou o link do WHT. Deve ter informações lá.
Forum Thread with more details : http://www.webhostingtalk.com/showthread.php?t=1364373
Última edição por 5ms; 08-04-2014 às 10:06.
08-04-2014, 13:26 #7
Alguns servidores com Centos e outros com Cloudlinux consegui atualizar para a versão "openssl.x86_64 0:1.0.1e-16.el6_5.7" com o yum.
08-04-2014, 19:44 #8
09-04-2014, 00:35 #9
Last night news about a remote OpenSSL bug was disclosed on http://heartbleed.com/ which detailed out an exploit in the OpenSSL system library that handles HTTPS connections on your server. This bug impacts CentOS 6.x servers and any server with Litespeed prior to 4.2.9. A fix was issued by the CentOS maintainers which patched this issue last night. Litespeed has also patched this with version 4.2.9. All CentOS 6 servers that do not have any added third party yum repositories, along with cPanel/WHM updates turned on, should have auto updated over the course of last night and this morning. We are now pushing out the Litespeed upgrade to all affected customers. This means that your server should already be patched with the fix that prevents this issue moving forward. Our support team has been working hard today to ensure that all CentOS 6 servers have been updated with this patch.
Further steps to be done by you:
Due to the the nature of this exploit, it could have allowed a third party to remotely read data SSL private key data off of your server prior to this patch being applied. This means that if you are on a CentOS 6 based server or Litespeed server and you have SSL certs installed on your domains, you should regenerate your SSL certificate's private key and CSR and have your SSL cert reissued by your SSL provider. WiredTree does not have any method to tell you if your server was exploited and if your SSL private key data was compromised, so regenerating your SSL certs is something that we highly advise.
Steps for Regenerating SSL Keys and CSRs:
You can log into your WHM and remove the SSL CSR, Public Key, and Private key from Home >> SSL/TLS >> SSL Storage Manager for the domain each domain you want to regenerate. Once that is done, you will want to go to Home >> SSL/TLS >> Generate an SSL Certificate and Signing Request and remake brand new SSL CSR, Self Signed Public Key, and Private keys for your domain. Once that is done you will take your new SSL CSR to your SSL signing company and reissue your Signed SSL Public Key to match your new SSL Private Key. From there, you can install the SSL cert under Home >>SSL/TLS >> Install an SSL Certificate on a Domain.
Steps for Resetting your WHM, cPanel, Exim, FTP and Webmail SSL certs:
Log into the WHM and then go to Home >> Service Configuration >> Manage Service SSL Certificates. Click Reset Certificate for each service to reissue a self signed SSL cert. If you have a Signed SSL cert for your server's hostname you will want to follow the steps above for deleting the SSL CSR, Public Key, and Private key from Home >> SSL/TLS >> SSL Storage Manager and recreate a new SSL CSR to have resigned by your SSL provider.
Again, this is for customers that have CentOS 6 based servers, not CentOS 5 as it is not impacted by this issue. If you have Litespeed this does affect CentOS 5 and 6. If you want to be 100% sure that your SSL Cert is not compromised we urge all clients with CentOS 6 servers or Litespeed to reissue their SSL certs with new key data with the steps above to be sure that they are not impacted by this exploit down the road.
If you have any questions about this process, please open a support ticket in Grove and we would be glad to assist you. Please keep in mind that support response times for these specific requests may take longer due to the amount of ticket volume generated by this issue. We will be working as fast as possible to help you with your questions and issues surrounding this issue.
09-04-2014, 00:43 #10
- Data de Ingresso
- May 2011
This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.4 and earlier. This issue does affect Red Hat Enterprise Linux 6.5, which provided openssl 1.0.1e.
Então é do 6.5 para cima