Author Topic: Heartbleed Bug  (Read 8777 times)

Offline WORM.

  • Newbie
  • *
  • Posts: 29
  • Take it easy, man
    • View Profile
    • ACMECTF
  • Rated:
Heartbleed Bug
« on: April 08, 2014, 09:26:57 AM »
http://heartbleed.com

Basically.....if you use TLS on OpenSSL (https webservers; services running TLS enabled daemons like SMTP/POP/IMAP) you most likely have to think about doing some necessary patching and key re-generating.

Blame NSA  ::)
  • Insightful
    Informative
    Funny
    Nice Job / Good Work
    Rock On
    Flawless Logic
    Well-Reasoned Argument and/or Conclusion
    Demonstrates Exceptional Knowlege of the Game
    Appears Not to Comprehend Game Fundamentals
    Frag of the Week
    Frag Hall of Fame
    Jump of the Week
    Jump Hall of Fame
    Best Solution
    Wins The Internet
    Whoosh! You done missed the joke thar Cletus!
    Obvious Troll Is Obvious
    DO YOU EVEN LIFT?
    DEMO OR STFU
    Offtopic
    Flamebait
    Redundant
    Factually Challenged
    Preposterously Irrational Arguments
    Blindingly Obvious Logical Fallacies
    Absurd Misconstrual of Scientific Principles or Evidence
    Amazing Conspiracy Theory Bro
    Racist Ignoramus

Offline VaeVictis

  • i was -1 because you fucking suck
  • Brobdingnagian Member
  • *
  • Posts: 4498
    • View Profile
  • Rated:
Re: Heartbleed Bug
« Reply #1 on: April 08, 2014, 07:03:56 PM »
Only a problem for certain versions of OpenSSL

You can see NVD entry here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

Only affects 1.0.1 through 1.0.1f

upstream patches for enterprise grade linux repositories should be out shortly (if not already), and rolled down stream accordingly (redhat -> centos -> etc etc)

patch is already out if you want to compile from source


It is quite nasty though, and if I were running any SSL setups myself I would go through and generate a new key/cert combo immediately :) companies like thawte and comodo are probably getting hammered right now with requests

and if you don't have the time to currently patch, should close all SSL ports (443, 995, 993, 465, etc)
  • Insightful
    Informative
    Funny
    Nice Job / Good Work
    Rock On
    Flawless Logic
    Well-Reasoned Argument and/or Conclusion
    Demonstrates Exceptional Knowlege of the Game
    Appears Not to Comprehend Game Fundamentals
    Frag of the Week
    Frag Hall of Fame
    Jump of the Week
    Jump Hall of Fame
    Best Solution
    Wins The Internet
    Whoosh! You done missed the joke thar Cletus!
    Obvious Troll Is Obvious
    DO YOU EVEN LIFT?
    DEMO OR STFU
    Offtopic
    Flamebait
    Redundant
    Factually Challenged
    Preposterously Irrational Arguments
    Blindingly Obvious Logical Fallacies
    Absurd Misconstrual of Scientific Principles or Evidence
    Amazing Conspiracy Theory Bro
    Racist Ignoramus

Offline yahoo

  • Opulent Member
  • *
  • Posts: 2291
  • Quake II | Powered by SMF 1.0.9.
    • View Profile
  • Rated:
Re: Heartbleed Bug
« Reply #2 on: April 08, 2014, 11:58:55 PM »
Only a problem for certain versions of OpenSSL

You can see NVD entry here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

Only affects 1.0.1 through 1.0.1f

upstream patches for enterprise grade linux repositories should be out shortly (if not already), and rolled down stream accordingly (redhat -> centos -> etc etc)

patch is already out if you want to compile from source


It is quite nasty though, and if I were running any SSL setups myself I would go through and generate a new key/cert combo immediately :) companies like thawte and comodo are probably getting hammered right now with requests

and if you don't have the time to currently patch, should close all SSL ports (443, 995, 993, 465, etc)

And now the media is hyping it.

http://time.com/55037/heartbleed-internet-security-encryption-risk/
  • Insightful
    Informative
    Funny
    Nice Job / Good Work
    Rock On
    Flawless Logic
    Well-Reasoned Argument and/or Conclusion
    Demonstrates Exceptional Knowlege of the Game
    Appears Not to Comprehend Game Fundamentals
    Frag of the Week
    Frag Hall of Fame
    Jump of the Week
    Jump Hall of Fame
    Best Solution
    Wins The Internet
    Whoosh! You done missed the joke thar Cletus!
    Obvious Troll Is Obvious
    DO YOU EVEN LIFT?
    DEMO OR STFU
    Offtopic
    Flamebait
    Redundant
    Factually Challenged
    Preposterously Irrational Arguments
    Blindingly Obvious Logical Fallacies
    Absurd Misconstrual of Scientific Principles or Evidence
    Amazing Conspiracy Theory Bro
    Racist Ignoramus
Quake II | Powered by SMF 1.0.9.
© 2001-2005, Lewis Media. All Rights Reserved.

Offline VaeVictis

  • i was -1 because you fucking suck
  • Brobdingnagian Member
  • *
  • Posts: 4498
    • View Profile
  • Rated:
Re: Heartbleed Bug
« Reply #3 on: April 09, 2014, 01:00:56 AM »
Only a problem for certain versions of OpenSSL

You can see NVD entry here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

Only affects 1.0.1 through 1.0.1f

upstream patches for enterprise grade linux repositories should be out shortly (if not already), and rolled down stream accordingly (redhat -> centos -> etc etc)

patch is already out if you want to compile from source


It is quite nasty though, and if I were running any SSL setups myself I would go through and generate a new key/cert combo immediately :) companies like thawte and comodo are probably getting hammered right now with requests

and if you don't have the time to currently patch, should close all SSL ports (443, 995, 993, 465, etc)

And now the media is hyping it.

http://time.com/55037/heartbleed-internet-security-encryption-risk/

oh don't get me wrong, this is HORRIBLE

but, just because a vulnerability exists doesn't mean it was exploited by everyone all the time... I see vulnerable versions of PHP, Apache, and site software up on web servers all the time that for sizable websites that haven't been cracked into yet, so that old wise tail of "I put this server on the internet, and it was compromised within seconds!" is pretty much a lie

personally if I was a less responsible person I would have taken work off and set up a harvester to try and dump memory to as many https sites as I possibly could, because most of them likely won't change their private key even if they do generate a new certificate

the phrase "internet security" has and always will be a contradicting joke
  • Insightful
    Informative
    Funny
    Nice Job / Good Work
    Rock On
    Flawless Logic
    Well-Reasoned Argument and/or Conclusion
    Demonstrates Exceptional Knowlege of the Game
    Appears Not to Comprehend Game Fundamentals
    Frag of the Week
    Frag Hall of Fame
    Jump of the Week
    Jump Hall of Fame
    Best Solution
    Wins The Internet
    Whoosh! You done missed the joke thar Cletus!
    Obvious Troll Is Obvious
    DO YOU EVEN LIFT?
    DEMO OR STFU
    Offtopic
    Flamebait
    Redundant
    Factually Challenged
    Preposterously Irrational Arguments
    Blindingly Obvious Logical Fallacies
    Absurd Misconstrual of Scientific Principles or Evidence
    Amazing Conspiracy Theory Bro
    Racist Ignoramus

Offline yahoo

  • Opulent Member
  • *
  • Posts: 2291
  • Quake II | Powered by SMF 1.0.9.
    • View Profile
  • Rated:
Re: Heartbleed Bug
« Reply #4 on: April 09, 2014, 02:57:09 AM »
found this link.

filippo.io/Heartbleed
rehmann.co/projects/heartbeat/

btw, so does this mean IIS has no problem since if im not mistaken its not using open ssl?
« Last Edit: April 09, 2014, 04:48:15 AM by yahoo »
  • Insightful
    Informative
    Funny
    Nice Job / Good Work
    Rock On
    Flawless Logic
    Well-Reasoned Argument and/or Conclusion
    Demonstrates Exceptional Knowlege of the Game
    Appears Not to Comprehend Game Fundamentals
    Frag of the Week
    Frag Hall of Fame
    Jump of the Week
    Jump Hall of Fame
    Best Solution
    Wins The Internet
    Whoosh! You done missed the joke thar Cletus!
    Obvious Troll Is Obvious
    DO YOU EVEN LIFT?
    DEMO OR STFU
    Offtopic
    Flamebait
    Redundant
    Factually Challenged
    Preposterously Irrational Arguments
    Blindingly Obvious Logical Fallacies
    Absurd Misconstrual of Scientific Principles or Evidence
    Amazing Conspiracy Theory Bro
    Racist Ignoramus
Quake II | Powered by SMF 1.0.9.
© 2001-2005, Lewis Media. All Rights Reserved.

Offline WORM.

  • Newbie
  • *
  • Posts: 29
  • Take it easy, man
    • View Profile
    • ACMECTF
  • Rated:
Re: Heartbleed Bug
« Reply #5 on: April 09, 2014, 09:41:11 AM »
btw, so does this mean IIS has no problem since if im not mistaken its not using open ssl?

Correct.....IIS is not open source and does not use OpenSSL......IIS has enough vulnerabilities as it is.  :D
  • Insightful
    Informative
    Funny
    Nice Job / Good Work
    Rock On
    Flawless Logic
    Well-Reasoned Argument and/or Conclusion
    Demonstrates Exceptional Knowlege of the Game
    Appears Not to Comprehend Game Fundamentals
    Frag of the Week
    Frag Hall of Fame
    Jump of the Week
    Jump Hall of Fame
    Best Solution
    Wins The Internet
    Whoosh! You done missed the joke thar Cletus!
    Obvious Troll Is Obvious
    DO YOU EVEN LIFT?
    DEMO OR STFU
    Offtopic
    Flamebait
    Redundant
    Factually Challenged
    Preposterously Irrational Arguments
    Blindingly Obvious Logical Fallacies
    Absurd Misconstrual of Scientific Principles or Evidence
    Amazing Conspiracy Theory Bro
    Racist Ignoramus

Offline VaeVictis

  • i was -1 because you fucking suck
  • Brobdingnagian Member
  • *
  • Posts: 4498
    • View Profile
  • Rated:
Re: Heartbleed Bug
« Reply #6 on: April 09, 2014, 11:08:22 PM »
IMHO, if you run iis, you have bigger problems ;)
  • Insightful
    Informative
    Funny
    Nice Job / Good Work
    Rock On
    Flawless Logic
    Well-Reasoned Argument and/or Conclusion
    Demonstrates Exceptional Knowlege of the Game
    Appears Not to Comprehend Game Fundamentals
    Frag of the Week
    Frag Hall of Fame
    Jump of the Week
    Jump Hall of Fame
    Best Solution
    Wins The Internet
    Whoosh! You done missed the joke thar Cletus!
    Obvious Troll Is Obvious
    DO YOU EVEN LIFT?
    DEMO OR STFU
    Offtopic
    Flamebait
    Redundant
    Factually Challenged
    Preposterously Irrational Arguments
    Blindingly Obvious Logical Fallacies
    Absurd Misconstrual of Scientific Principles or Evidence
    Amazing Conspiracy Theory Bro
    Racist Ignoramus

Offline quadz

  • Loquaciously Multiloquent Member
  • ****
  • Posts: 5352
    • View Profile
  • Rated:
Re: Heartbleed Bug
« Reply #7 on: April 10, 2014, 12:39:27 AM »
that old wise tail

Ah, the joys and pitfalls of Hooked on Phonics.  :nana:


BTW, for all here with SSH access to tastyspleen.net, I should mention that (by simple luck) we weren't running one of the vulnerable versions of OpenSSL.


(yay!)
  • Insightful
    Informative
    Funny
    Nice Job / Good Work
    Rock On
    Flawless Logic
    Well-Reasoned Argument and/or Conclusion
    Demonstrates Exceptional Knowlege of the Game
    Appears Not to Comprehend Game Fundamentals
    Frag of the Week
    Frag Hall of Fame
    Jump of the Week
    Jump Hall of Fame
    Best Solution
    Wins The Internet
    Whoosh! You done missed the joke thar Cletus!
    Obvious Troll Is Obvious
    DO YOU EVEN LIFT?
    DEMO OR STFU
    Offtopic
    Flamebait
    Redundant
    Factually Challenged
    Preposterously Irrational Arguments
    Blindingly Obvious Logical Fallacies
    Absurd Misconstrual of Scientific Principles or Evidence
    Amazing Conspiracy Theory Bro
    Racist Ignoramus
"He knew all the tricks, dramatic irony, metaphor, bathos, puns, parody, litotes and... satire. He was vicious."

Offline VaeVictis

  • i was -1 because you fucking suck
  • Brobdingnagian Member
  • *
  • Posts: 4498
    • View Profile
  • Rated:
Re: Heartbleed Bug
« Reply #8 on: April 10, 2014, 01:17:26 AM »
that old wise tail

Ah, the joys and pitfalls of Hooked on Phonics.  :nana:


BTW, for all here with SSH access to tastyspleen.net, I should mention that (by simple luck) we weren't running one of the vulnerable versions of OpenSSL.


(yay!)

english can go fuck itself

not enough semicolons and curly braces for my tastes
  • Insightful
    Informative
    Funny
    Nice Job / Good Work
    Rock On
    Flawless Logic
    Well-Reasoned Argument and/or Conclusion
    Demonstrates Exceptional Knowlege of the Game
    Appears Not to Comprehend Game Fundamentals
    Frag of the Week
    Frag Hall of Fame
    Jump of the Week
    Jump Hall of Fame
    Best Solution
    Wins The Internet
    Whoosh! You done missed the joke thar Cletus!
    Obvious Troll Is Obvious
    DO YOU EVEN LIFT?
    DEMO OR STFU
    Offtopic
    Flamebait
    Redundant
    Factually Challenged
    Preposterously Irrational Arguments
    Blindingly Obvious Logical Fallacies
    Absurd Misconstrual of Scientific Principles or Evidence
    Amazing Conspiracy Theory Bro
    Racist Ignoramus

Offline quadz

  • Loquaciously Multiloquent Member
  • ****
  • Posts: 5352
    • View Profile
  • Rated:
Re: Heartbleed Bug
« Reply #9 on: April 10, 2014, 01:55:47 AM »
english can go fuck itself

not enough semicolons and curly braces for my tastes

Well now, it may be a mute point to observe that your mangling of the idiomatic expression Old Wives' Tale would still be wrong in any language, but who knows: one in the same it's a doggy-dog world and this could be a blessing in the skies, so for all intensive purposes let's nip it in the butt.


:dohdohdoh:
  • Insightful
    Informative
    Funny
    Nice Job / Good Work
    Rock On
    Flawless Logic
    Well-Reasoned Argument and/or Conclusion
    Demonstrates Exceptional Knowlege of the Game
    Appears Not to Comprehend Game Fundamentals
    Frag of the Week
    Frag Hall of Fame
    Jump of the Week
    Jump Hall of Fame
    Best Solution
    Wins The Internet
    Whoosh! You done missed the joke thar Cletus!
    Obvious Troll Is Obvious
    DO YOU EVEN LIFT?
    DEMO OR STFU
    Offtopic
    Flamebait
    Redundant
    Factually Challenged
    Preposterously Irrational Arguments
    Blindingly Obvious Logical Fallacies
    Absurd Misconstrual of Scientific Principles or Evidence
    Amazing Conspiracy Theory Bro
    Racist Ignoramus
"He knew all the tricks, dramatic irony, metaphor, bathos, puns, parody, litotes and... satire. He was vicious."

Offline |iR|Focalor

  • Irrepressibly Profuse Member
  • *
  • Posts: 15768
  • Help Destroy America: VOTE DEMOCRAT
    • View Profile
    • Focalor's Horrible Website: We Rape You Til The Room Stinks
  • Rated:
Re: Heartbleed Bug
« Reply #10 on: April 10, 2014, 08:55:28 AM »
Well now, it may be a mute point to observe that your mangling of the idiomatic expression Old Wives' Tale would still be wrong in any language, but who knows: one in the same it's a doggy-dog world and this could be a blessing in the skies, so for all intensive purposes let's nip it in the butt.

Davey was hit in the head with an English textbook so hard that he required an MRI for intensive purposes.
  • Insightful
    Informative
    Funny
    Nice Job / Good Work
    Rock On
    Flawless Logic
    Well-Reasoned Argument and/or Conclusion
    Demonstrates Exceptional Knowlege of the Game
    Appears Not to Comprehend Game Fundamentals
    Frag of the Week
    Frag Hall of Fame
    Jump of the Week
    Jump Hall of Fame
    Best Solution
    Wins The Internet
    Whoosh! You done missed the joke thar Cletus!
    Obvious Troll Is Obvious
    DO YOU EVEN LIFT?
    DEMO OR STFU
    Offtopic
    Flamebait
    Redundant
    Factually Challenged
    Preposterously Irrational Arguments
    Blindingly Obvious Logical Fallacies
    Absurd Misconstrual of Scientific Principles or Evidence
    Amazing Conspiracy Theory Bro
    Racist Ignoramus

Offline bluemeanies

  • Swanky Member
  • *****
  • Posts: 520
    • View Profile
  • Rated:
Re: Heartbleed Bug
« Reply #11 on: April 10, 2014, 09:48:24 AM »
What a time sink...paying for reliable hosting means that the systems are getting patched, but they recommend you reissue certs, change all passwords, you're talking admin panels, cms systems, custom back end tools, etc, etc...
  • Insightful
    Informative
    Funny
    Nice Job / Good Work
    Rock On
    Flawless Logic
    Well-Reasoned Argument and/or Conclusion
    Demonstrates Exceptional Knowlege of the Game
    Appears Not to Comprehend Game Fundamentals
    Frag of the Week
    Frag Hall of Fame
    Jump of the Week
    Jump Hall of Fame
    Best Solution
    Wins The Internet
    Whoosh! You done missed the joke thar Cletus!
    Obvious Troll Is Obvious
    DO YOU EVEN LIFT?
    DEMO OR STFU
    Offtopic
    Flamebait
    Redundant
    Factually Challenged
    Preposterously Irrational Arguments
    Blindingly Obvious Logical Fallacies
    Absurd Misconstrual of Scientific Principles or Evidence
    Amazing Conspiracy Theory Bro
    Racist Ignoramus
Quote from: John Kreese
Mercy is for the weak. Here, in the streets, in competition: A man confronts you, he is the enemy. An enemy deserves no mercy.

Offline QwazyWabbit

  • Carpal Tunnel Member
  • ******
  • Posts: 1373
    • View Profile
  • Rated:
Re: Heartbleed Bug
« Reply #12 on: April 10, 2014, 01:34:43 PM »
that old wise tail

Ah, the joys and pitfalls of Hooked on Phonics.  :nana:


BTW, for all here with SSH access to tastyspleen.net, I should mention that (by simple luck) we weren't running one of the vulnerable versions of OpenSSL.


(yay!)

Sometimes it pays to lag the power curve just a little. Let the early adopters thrash around with the shiny new toy a bit.

A rolling stone lathers no moths.
  • Insightful
    Informative
    Funny
    Nice Job / Good Work
    Rock On
    Flawless Logic
    Well-Reasoned Argument and/or Conclusion
    Demonstrates Exceptional Knowlege of the Game
    Appears Not to Comprehend Game Fundamentals
    Frag of the Week
    Frag Hall of Fame
    Jump of the Week
    Jump Hall of Fame
    Best Solution
    Wins The Internet
    Whoosh! You done missed the joke thar Cletus!
    Obvious Troll Is Obvious
    DO YOU EVEN LIFT?
    DEMO OR STFU
    Offtopic
    Flamebait
    Redundant
    Factually Challenged
    Preposterously Irrational Arguments
    Blindingly Obvious Logical Fallacies
    Absurd Misconstrual of Scientific Principles or Evidence
    Amazing Conspiracy Theory Bro
    Racist Ignoramus

Offline VaeVictis

  • i was -1 because you fucking suck
  • Brobdingnagian Member
  • *
  • Posts: 4498
    • View Profile
  • Rated:
Re: Heartbleed Bug
« Reply #13 on: April 10, 2014, 07:16:35 PM »
it may be a mute point

moot point*

;)


Sometimes it pays to lag the power curve just a little. Let the early adopters thrash around with the shiny new toy a bit.

A rolling stone lathers no moths.


except the vulnerability has been in place for 2 years haha was quite convenient that half the servers at my work were running 0.9.8 though
  • Insightful
    Informative
    Funny
    Nice Job / Good Work
    Rock On
    Flawless Logic
    Well-Reasoned Argument and/or Conclusion
    Demonstrates Exceptional Knowlege of the Game
    Appears Not to Comprehend Game Fundamentals
    Frag of the Week
    Frag Hall of Fame
    Jump of the Week
    Jump Hall of Fame
    Best Solution
    Wins The Internet
    Whoosh! You done missed the joke thar Cletus!
    Obvious Troll Is Obvious
    DO YOU EVEN LIFT?
    DEMO OR STFU
    Offtopic
    Flamebait
    Redundant
    Factually Challenged
    Preposterously Irrational Arguments
    Blindingly Obvious Logical Fallacies
    Absurd Misconstrual of Scientific Principles or Evidence
    Amazing Conspiracy Theory Bro
    Racist Ignoramus

Offline quadz

  • Loquaciously Multiloquent Member
  • ****
  • Posts: 5352
    • View Profile
  • Rated:
Re: Heartbleed Bug
« Reply #14 on: April 11, 2014, 03:29:52 AM »
it may be a mute point

moot point*

;)

Don't tell me you only spotted one out of six?

:exqueezeme:

  • Insightful
    Informative
    Funny
    Nice Job / Good Work
    Rock On
    Flawless Logic
    Well-Reasoned Argument and/or Conclusion
    Demonstrates Exceptional Knowlege of the Game
    Appears Not to Comprehend Game Fundamentals
    Frag of the Week
    Frag Hall of Fame
    Jump of the Week
    Jump Hall of Fame
    Best Solution
    Wins The Internet
    Whoosh! You done missed the joke thar Cletus!
    Obvious Troll Is Obvious
    DO YOU EVEN LIFT?
    DEMO OR STFU
    Offtopic
    Flamebait
    Redundant
    Factually Challenged
    Preposterously Irrational Arguments
    Blindingly Obvious Logical Fallacies
    Absurd Misconstrual of Scientific Principles or Evidence
    Amazing Conspiracy Theory Bro
    Racist Ignoramus
"He knew all the tricks, dramatic irony, metaphor, bathos, puns, parody, litotes and... satire. He was vicious."

 

El Box de Shoutamente

Last 10 Shouts:

Costigan_Q2

November 11, 2024, 06:41:06 AM
"Stay cozy folks.

Everything is gonna be fine."

There'll be no excuses for having TDS after January 20th, there'll be no excuses AT ALL!!!
 

|iR|Focalor

November 06, 2024, 03:28:50 AM
 

RailWolf

November 05, 2024, 03:13:44 PM
Nice :)

Tom Servo

November 04, 2024, 05:05:24 PM
The Joe Rogan Experience episode 223 that dropped a couple hours ago with Musk, they're talking about Quake lol.

Costigan_Q2

November 04, 2024, 03:37:55 PM
Stay cozy folks.

Everything is gonna be fine.
 

|iR|Focalor

October 31, 2024, 08:56:37 PM

Costigan_Q2

October 17, 2024, 06:31:53 PM
Not activated your account yet?

Activate it now! join in the fun!

Tom Servo

October 11, 2024, 03:35:36 PM
HAHAHAHAHAHA
 

|iR|Focalor

October 10, 2024, 12:19:41 PM
I don't worship the devil. Jesus is Lord, friend. He died for your sins. He will forgive you if you just ask.
 

rikwad

October 09, 2024, 07:57:21 PM
Sorry, I couldn't resist my inner asshole.

Show 50 latest
Welcome, Guest. Please login or register.
November 24, 2024, 07:07:42 PM

Login with username, password and session length