LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-10-2014, 06:07 PM   #16
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: Slackware64, LFS
Posts: 312

Rep: Reputation: 53

How does one know which version of Openssl generated which keys/certs? It doesn't seem to say in the certificates or keys themselves, nor the index.txt file. I really can't remember which version I was using back in Dec. 2012 when I made them. By openssl.org's release dates, it was possibly openssl-1.0.1c. I really, really don't want to regenerate an entire root CA, all the keys, the requests and the certs after revolking the old ones for about a dozen services!
 
Old 04-10-2014, 06:36 PM   #17
alisonken1
LQ Newbie
 
Registered: Jun 2003
Location: Rancho Cucamonga, CA
Distribution: Slackware
Posts: 22

Rep: Reputation: 9
Quote:
Originally Posted by jayjwa View Post
How does one know which version of Openssl generated which keys/certs? It doesn't seem to say in the certificates or keys themselves, nor the index.txt file. I really can't remember which version I was using back in Dec. 2012 when I made them. By openssl.org's release dates, it was possibly openssl-1.0.1c. I really, really don't want to regenerate an entire root CA, all the keys, the requests and the certs after revolking the old ones for about a dozen services!
The heartbeat issue is only for implementations using the secure stream program. Key generation was not compromised.

The reason for regenerating keys is due to servers using the vulnerable library _may_ have leaked the key information when being used. Since there is no trace of if/when the library used may have leaked key information, the safe bet is to regenerate keys in case someone may have used the heartbeat vector and copied private key information from an existing session.

Again - it has nothing to do with what library was used to generate keys - only when keys were used by the vulnerable library.
 
1 members found this post helpful.
Old 04-10-2014, 08:46 PM   #18
cousinlucky
Member
 
Registered: Nov 2005
Location: Staten Island N.Y.
Distribution: Antix 16 and PCLinuxOS Mate
Posts: 258

Rep: Reputation: 514Reputation: 514Reputation: 514Reputation: 514Reputation: 514Reputation: 514
I got an email today from Dynadot about Heartbleed and they urged me to change my password. I only have my domain names there and no website hosting; do I really need to create a new password?
 
Old 04-11-2014, 01:43 AM   #19
JoeSmith
LQ Newbie
 
Registered: Nov 2013
Location: cd ./
Distribution: Fedora19 & Kali
Posts: 26

Rep: Reputation: Disabled
Here is a good wiki about the bug.

Code:
http://www.theregister.co.uk/2014/04/09/heartbleed_explained/
 
Old 04-11-2014, 02:00 AM   #20
cyberdome
Member
 
Registered: Mar 2014
Distribution: Fedora 23 - MariaDB 10.1 -
Posts: 130
Blog Entries: 2

Rep: Reputation: 8
Heartbleed Internet security bug? OpenSSL security issue?

Does anyone know if this is relevant for all of us using APACHE and Linux?

http://gizmodo.com/how-heartbleed-wo...-se-1561341209

http://www.bostonglobe.com/business/...YTJ/story.html

http://www.cnbc.com/id/101566234
 
Old 04-11-2014, 02:27 AM   #21
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,925

Rep: Reputation: 1192Reputation: 1192Reputation: 1192Reputation: 1192Reputation: 1192Reputation: 1192Reputation: 1192Reputation: 1192Reputation: 1192
It's relevant to anyone who is using https on apache that has a vulnerable versions of OpenSSL.

There are numerous sites available that can test if your server is vulnerable.

If it is then you will need to patch appropriately, have new SSL certs issued by your provider and have any users that authenticated to the website change their passwords.
 
Old 04-11-2014, 05:42 AM   #22
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: Slackware64, LFS
Posts: 312

Rep: Reputation: 53
Quote:
Originally Posted by alisonken1 View Post
Again - it has nothing to do with what library was used to generate keys - only when keys were used by the vulnerable library.
Thanks for clearing that up. It saves alot of time.
 
Old 04-11-2014, 06:10 AM   #23
cousinlucky
Member
 
Registered: Nov 2005
Location: Staten Island N.Y.
Distribution: Antix 16 and PCLinuxOS Mate
Posts: 258

Rep: Reputation: 514Reputation: 514Reputation: 514Reputation: 514Reputation: 514Reputation: 514
I'm confused ( again )!! Some are advising to not to be in a rush to change passwords.
http://www.theguardian.com/technolog...y-experts-warn
 
Old 04-11-2014, 09:15 AM   #24
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176
My understanding from the reading is that it can also be used against the client side, too.
 
Old 04-11-2014, 10:22 AM   #25
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
I think the best thing to do is wait until they ask you to change the password, that is after they have fixed the vulnerability. Changing your password before they fix the vulnerability is worse than keeping your current one.
 
Old 04-11-2014, 10:58 AM   #26
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Basically, users should not rush into anything.. It's the sysadmins that should rush to implement the fix.. Come to think about it, considering the certificate key is vulnerable, phishing scams are also possible until the certificate has been revoked.. So not rushing does make sense..

I think it's best to wait until the service asks you to change your password (for example, I'm a volunteer supporter in an online game.. Sure enough, yesterday all volunteers and employees found themselfs with expired passwords and a request to change them) .. That's basically what every service affected by this should do, I think

Altough, keep in mind that while this is a very important update and very critical exploit, people would have started noticing strange logins from different places.. It's also very unlikely to get compromised on systems that have double authentication if your logins are from a different computer or from different countries or regions... Even if your password is found, they still couldn't get passed the second step of auth..

Basically, while this could have been exploited in the silence to gather scattered data (and of that we can't be sure if it was or not).. But it's very unlikely that it was not exploited on large scale without trying to compromise authentication and leaving traces..
 
Old 04-11-2014, 11:05 AM   #27
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Also, and this is a definite don't do it is to click on links from received e-mails that asks you to change the password... Like I've mentioned above, phishing scams are possible right now
 
Old 04-11-2014, 11:40 AM   #28
wh33t
Member
 
Registered: Oct 2003
Location: Canada
Posts: 741

Rep: Reputation: 58
Exclamation How to patch for Heartbleed Ubuntu 12.04LTS

Hey LQ,

My server is vulnerable, my OpenSSL version is 1.0.1 dated March 2012. How can I patch this? Apt-get isn't offering me any updates.
 
Old 04-11-2014, 01:32 PM   #29
knudfl
LQ 5k Club
 
Registered: Jan 2008
Location: Copenhagen DK
Distribution: PCLinuxOS2019 CentOS6.10 CentOS7.6 + 50+ other Linux OS, for test only.
Posts: 17,250

Rep: Reputation: 3564Reputation: 3564Reputation: 3564Reputation: 3564Reputation: 3564Reputation: 3564Reputation: 3564Reputation: 3564Reputation: 3564Reputation: 3564Reputation: 3564
Not all versions in the "1.0.1 series" have the `Heartbleed bug'.

I think the vulnerable versions are listed in one of the current Heartbleed threads:
http://www.linuxquestions.org/questi...ed-4175500917/
* http://www.linuxquestions.org/questi...ty-4175500994/
 
Old 04-11-2014, 01:40 PM   #30
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 & 7
Posts: 3,192

Rep: Reputation: 857Reputation: 857Reputation: 857Reputation: 857Reputation: 857Reputation: 857Reputation: 857
Here is the original commit that introduced the bug:
http://git.openssl.org/gitweb/?p=ope...2116ad75f822b1

7pm on Dec 31st - I imagine not many eyes on it at that time or the next day.
If I wanted to hide a vulnerability in a system, that's the time I would do it.
 
1 members found this post helpful.
  


Reply

Tags
cve-2014-0160, openssl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How to find out if your server is affected from Openssl Heartbleed vulnerability (CVE-2014-016 LXer Syndicated Linux News 0 04-08-2014 10:20 AM
LXer: Heartbleed: Serious OpenSSL zero day vulnerability revealed LXer Syndicated Linux News 1 04-08-2014 07:38 AM
CVE-2014-0038: Linux Kernel Remote Memory Corruption Vulnerability unSpawn Linux - Security 1 02-19-2014 01:05 AM
CVE-2014-0038: Linux Kernel Remote Memory Corruption Vulnerability unSpawn Linux - News 0 01-31-2014 10:09 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration