Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
yup. good information to pass around. also good to see that companies like RedHat have already stepped up and not only fixed the bad code but removed several of the older encryption models to increase security.
... Any keys generated with a vulnerable version of OpenSSL should be considered compromised and regenerated and deployed after the patch has been applied.
US-CERT recommends system administrators consider implementing Perfect Forward Secrecy (http://en.wikipedia.org/wiki/Perfect_forward_secrecy) to mitigate the damage that may be caused by future private key disclosures.
Essentially, don't doddle, get on the stick, do it now.
Hope this helps some.
Slackware users: Slackware released upgraded packages for release versions 14.0, 14.1 and Current 04/08/2014 (prior releases are not affected).
I'm a little unclear on something, This issue only affects SSH keys, and NOT a site's SSL Certificate(s)?
Sorry if that's lame, but there's way too much "new" data for me to process my question atm.
Usage: fill up a scan.txt file with target IPs or hosts and run
Code:
python file.py
any vulnerable hosts will have an ip.txt in the directory it was run from.
the issue presents itself when a tls layer (aka ssl/tls library) is hooked into the listening port and a socket is made for the connection. the issue around certs is rather basic. server side has the private key which is used in the asymmetric process for securely exchanging the dynamic symmetric keys used to secure the communications. if the private key is exposed then the cert is now compromised and so are any additional data streams built using that cert. the PFS option helps but is not always used. but even having the private key does not mean the public at large can "see" anything, the hacker would need to be able to collect unicast data streams that are far away, etc, which is not so trivial.
the crux of the issue is, this tls issue exposes data from RAM, which could be parts of the unencrypted data from a TLS stream, which is a bad thing. the pita part is, after patching, new certs need to be generated using a new private key. some devices build an initial local CA during install time used for self-signing, this can be a pita to gen a new local CA and then redo the self-signed certs, and it gets more of a pita depending on if/how these self-signed certs were deployed, etc.
wow, some new "heartbeat" feature turned out to be not so good. in this day & age it baffles me why functions like this are not fuzz'd beyond the dead horse before being released.
a blatant disregard for memory management? how so, this is a sensitive library used to ensure privacy, surely it was reviewed a zillion times before being compiled, and the fuzz'd for added assurance?,...... makes you wonder why it was done wrong, and why it took until now to catch.
if i am not mistaken, only the memory address space used by the process handling the tls library can be leaked. i do not believe its any random parts of all memory, but please correct me on this if need be........
Last edited by Linux_Kidd; 04-09-2014 at 10:09 PM.
What do you think would be the best approach to fix this issue for users (particularly lesser experienced users) of EOL distros, such as Fedora 18? I don't think there will be any sort of fix pushed since those distros are EOL.
I'm a little unclear on something, This issue only affects SSH keys, and NOT a site's SSL Certificate(s)?
Sorry if that's lame, but there's way too much "new" data for me to process my question atm.
I hope I don't have to re-key a hundred+ servers.
Thanks.
SSH and SSL are two different projects. OpenSSH is unaffected.
What do you think would be the best approach to fix this issue for users (particularly lesser experienced users) of EOL distros, such as Fedora 18? I don't think there will be any sort of fix pushed since those distros are EOL.
Thanks.
install new openSSL package (just because its not in a repository for the specific distro that doesnt mean you are stuck), or recompile with the heartbeat option disabled.
installing "new" doesnt mean you need to go "up" in version, you can also downgrade to get away from the heartbeat option, etc. one needs to ask themselves, other than security related fixes (which not every new version has), why are you upgrading the package? many time new versions have additional features, and in this case the new feature was, well, [fill in your words here].
a blatant disregard for memory management? how so, this is a sensitive library used to ensure privacy, surely it was reviewed a zillion times before being compiled, and the fuzz'd for added assurance?,...... makes you wonder why it was done wrong, and why it took until now to catch.
if i am not mistaken, only the memory address space used by the process handling the tls library can be leaked. i do not believe its any random parts of all memory, but please correct me on this if need be........
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
