Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[patrick at ianai.net (Patrick W. Gilmore)]

Lots of tools available. I'm with ferg, surprised more haven't been mentioned here.

Tools to check for the bug:
	? on your own box: https://github.com/musalbas/heartbleed-masstest/blob/master/ssltest.py
	? online: http://filippo.io/Heartbleed/ (use carefully as they might log what you check)
	? online: http://possible.lv/tools/hb/
	? offline: https://github.com/tdussa/heartbleed-masstest <--- Tobias Dussa, also Takes a CSV file with host names for input and ports as parameter
	? offline: http://s3.jspenguin.org/ssltest.py
	? offline: https://github.com/titanous/heartbleeder

List of vulnerable Linux distributions: <http://www.circl.lu/pub/tr-21/>.

Anyone have any more?

-- 
TTFN,
patrick


On Apr 08, 2014, at 12:11 , Jonathan Lassoff <jof at thejof.com> wrote:

> For testing, I've had good luck with
> https://github.com/titanous/heartbleeder and
> https://gist.github.com/takeshixx/10107280
> 
> Both are mostly platform-independent, so they should be able to work even
> if you don't have a modern OpenSSL to test with.
> 
> Cheers and good luck (you're going to need it),
> jof
> 
> On Tue, Apr 8, 2014 at 5:03 PM, Michael Thomas <mike at mtcc.com> wrote:
> 
>> Just as a data point, I checked the servers I run and it's a good thing I
>> didn't reflexively update them first.
>> On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't have
>> the vulnerability, but the
>> ones queued up for update do. I assume that redhat will get the patched
>> version soon but be careful!
>> 
>> Mike
>> 
>> 
>> On 04/07/2014 10:06 PM, Paul Ferguson wrote:
>> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>> 
>>> I'm really surprised no one has mentioned this here yet...
>>> 
>>> FYI,
>>> 
>>> - - ferg
>>> 
>>> 
>>> 
>>> Begin forwarded message:
>>> 
>>> From: Rich Kulawiec <rsk at gsp.org> Subject: Serious bug in
>>>> ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
>>>> 9:27:40 PM EDT
>>>> 
>>>> This reaches across many versions of Linux and BSD and, I'd
>>>> presume, into some versions of operating systems based on them.
>>>> OpenSSL is used in web servers, mail servers, VPNs, and many other
>>>> places.
>>>> 
>>>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
>>>> revealed
>>>> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-
>>>> revealed-7000028166/
>>>> 
>>>>  Technical details: Heartbleed Bug http://heartbleed.com/
>>>> 
>>>> OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
>>>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
>>>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
>>>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>>>> 
>>>> 
>>> - -- Paul Ferguson
>>> VP Threat Intelligence, IID
>>> PGP Public Key ID: 0x54DC85B2
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2.0.22 (MingW32)
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>> 
>>> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
>>> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
>>> =aAzE
>>> -----END PGP SIGNATURE-----
>>> 
>> 
>> 
>> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 535 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140408/0ccd020d/attachment.bin>