LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-11-2014, 01:44 PM   #31
wh33t
Member
 
Registered: Oct 2003
Location: Canada
Posts: 741

Rep: Reputation: 58

Using an online tool to test for my vulnerability shows me that I am susceptible to attack. I should also note, that I'm susceptible to attack on port 10000 through Webmin. Is that a different package or something I should be updating? Come to think of it, I didn't even install Webmin over apt-get. I did it with dpkg. I should probably check out their site.
 
Old 04-11-2014, 01:57 PM   #32
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
Quote:
Originally Posted by smallpond View Post
Here is the original commit that introduced the bug:
http://git.openssl.org/gitweb/?p=ope...2116ad75f822b1

7pm on Dec 31st - I imagine not many eyes on it at that time or the next day.
If I wanted to hide a vulnerability in a system, that's the time I would do it.
The day it was made is most interesting. I know they keep saying it wasn't on purpose ... on New Year's Eve ... interesting to say the least.
 
Old 04-11-2014, 02:32 PM   #33
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
Here's a detailed explanation of the bug:
http://www.theregister.co.uk/2014/04...eed_explained/
http://git.openssl.org/gitweb/?p=ope...58c4899d#l3969

The main issue seems to be this memcpy:
Code:
memcpy(bp, pl, payload);
The 'payload' variable is sent by the attacker. I don't see why it is even used here, when the correct length of the received data was also used and submitted in the same commit 's->s3->rrec.length' but in a different place. The correct calculation for bounds checking was also used in the commit, but in a different place '1 + 2 + payload + padding'.

Of course, there's no way to prove it was or was not deliberate, but I'm starting to lean away from accidental.

EDIT:
I think I'll start looking through code submitted on major holidays like Christmas and New Years, and maybe they should lock down git on these days.

Last edited by metaschima; 04-11-2014 at 02:36 PM.
 
Old 04-11-2014, 04:42 PM   #34
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
Another interesting article, but no hard proof yet:
http://www.bloomberg.com/news/2014-0...consumers.html
 
Old 04-11-2014, 05:04 PM   #35
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Yeah, let's be serious for a little bit..

Heartblead is a bad, serious bug.. However, as opposed to other types of attacks in which the remote attacker can execute code on the machine or explore specific data at will, this will expose portions of up to 64k of random memory at a time.. While that could mean a lot data, it's still very limiting and require a human touch to put the puzzle-pieces together into something useful... Spying in mass simply isn't likely or productive..

Furthermore, experts are not found only in the NSA, so let's not get in the "They must have known" theories too early..

Put that together with the fact that they call it "Flawed Protocol" or that at the end of the article they talk about "hackers who could brake it (n.b. SSL Protocol) 15 years ago" as if this was relevant, it's clear that the article is written just to be there.. No proof, no understanding from the author..
 
Old 04-11-2014, 06:33 PM   #36
cyberdome
Member
 
Registered: Mar 2014
Distribution: Fedora 23 - MariaDB 10.1 -
Posts: 130
Blog Entries: 2

Rep: Reputation: 8
what about the OpenSSL version from the YUM repos? for example, I installed OpenSSL using YUM install openssl?

Just curious if the Fedora repos have fix this heartbleed issue?
 
Old 04-11-2014, 07:06 PM   #37
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
Note that openssl uses its own version of malloc:
http://article.gmane.org/gmane.os.openbsd.misc/211963
and that malloc is biased for recently freed memory.
 
Old 04-11-2014, 07:42 PM   #38
jefro
Moderator
 
Registered: Mar 2008
Posts: 19,147

Rep: Reputation: 2918Reputation: 2918Reputation: 2918Reputation: 2918Reputation: 2918Reputation: 2918Reputation: 2918Reputation: 2918Reputation: 2918Reputation: 2918Reputation: 2918
I think one comment was to look at certificate date. Some mention version and look for patch even if older version.
 
Old 04-11-2014, 07:54 PM   #39
jefro
Moderator
 
Registered: Mar 2008
Posts: 19,147

Rep: Reputation: 2918Reputation: 2918Reputation: 2918Reputation: 2918Reputation: 2918Reputation: 2918Reputation: 2918Reputation: 2918Reputation: 2918Reputation: 2918Reputation: 2918
I think one of the pages I read talked about dpkg being an issue where other apps also may have fallen to the fault.

There is supposed to be a patch for the version you have but it doesn't change the version number.
 
Old 04-11-2014, 08:02 PM   #40
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 6,316

Rep: Reputation: Disabled
You need 1.0.1g.
 
Old 04-11-2014, 09:09 PM   #41
wh33t
Member
 
Registered: Oct 2003
Location: Canada
Posts: 741

Rep: Reputation: 58
Thanks guys. How do I g version?
 
Old 04-11-2014, 09:18 PM   #42
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Moved: cyberdomes thread was merged into the existing "CVE-2014-0160: Heartbleed Bug: OpenSSL Vulnerability" thread to keep important same topic threads in one place and get the exposure they deserve.
 
Old 04-11-2014, 09:25 PM   #43
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 6,316

Rep: Reputation: Disabled
Don't you get it when you run apt-get update & apt-get upgrade?
 
Old 04-11-2014, 09:34 PM   #44
wh33t
Member
 
Registered: Oct 2003
Location: Canada
Posts: 741

Rep: Reputation: 58
No... I don't know why it isn't there, but I expected it to be there.
 
Old 04-11-2014, 10:23 PM   #45
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 6,316

Rep: Reputation: Disabled
I do not run Ubuntu, but there is no way it is unavailable in Ubuntu repos.
 
  


Reply

Tags
cve-2014-0160, openssl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How to find out if your server is affected from Openssl Heartbleed vulnerability (CVE-2014-016 LXer Syndicated Linux News 0 04-08-2014 10:20 AM
LXer: Heartbleed: Serious OpenSSL zero day vulnerability revealed LXer Syndicated Linux News 1 04-08-2014 07:38 AM
CVE-2014-0038: Linux Kernel Remote Memory Corruption Vulnerability unSpawn Linux - Security 1 02-19-2014 01:05 AM
CVE-2014-0038: Linux Kernel Remote Memory Corruption Vulnerability unSpawn Linux - News 0 01-31-2014 10:09 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration