[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Serious bug in ubiquitous OpenSSL library: "Heartbleed"

Subject: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
From: laszlo at heliacal.net (Laszlo Hanyecz)
Date: Tue, 8 Apr 2014 19:14:57 +0000
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]>

You can still potentially access all the same information since it all goes through the load balancer.  Interesting bits of info are things like Cookie: headers being sent by clients and sitting in a buffer.  Try one of the testing tools mentioned and see if you can see any info from other clients.  It's almost like having remote tcpdump on the web server - you can copy down the in-memory process image.

-Laszlo


On Apr 8, 2014, at 7:12 PM, "Frank Bulk" <frnkblk at iname.com> wrote:

> If we would front our HTTPS services with a (OpenSSL vulnerable)
> load-balancer that does the SSL work and we just use HTTP to the service,
> will that mitigate information loss that's possible with this exploit?  Or
> will the OpenSSL code on the load-balancer also store or "cache" content?
> 
> Frank
> 
> -----Original Message-----
> From: Paul Ferguson [mailto:fergdawgster at mykolab.com] 
> Sent: Tuesday, April 08, 2014 12:07 AM
> To: NANOG
> Subject: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> I'm really surprised no one has mentioned this here yet...
> 
> FYI,
> 
> - - ferg
> 
> 
> 
> Begin forwarded message:
> 
>> From: Rich Kulawiec <rsk at gsp.org> Subject: Serious bug in
>> ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
>> 9:27:40 PM EDT
>> 
>> This reaches across many versions of Linux and BSD and, I'd
>> presume, into some versions of operating systems based on them.
>> OpenSSL is used in web servers, mail servers, VPNs, and many other
>> places.
>> 
>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
>> revealed 
>> 
> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revea
> led-7000028166/
>> 
>> Technical details: Heartbleed Bug http://heartbleed.com/
>> 
>> OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>> 
> 
> 
> - -- 
> Paul Ferguson
> VP Threat Intelligence, IID
> PGP Public Key ID: 0x54DC85B2
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
> =aAzE
> -----END PGP SIGNATURE-----
> 
> 
> 
>

References:
- Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
  - From: fergdawgster at mykolab.com (Paul Ferguson)
- Serious bug in ubiquitous OpenSSL library: "Heartbleed"
  - From: frnkblk at iname.com (Frank Bulk)

Prev by Date: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
Next by Date: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
Previous by thread: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
Next by thread: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
Index(es):
- Date
- Thread