LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-11-2014, 10:50 PM   #46
wh33t
Member
 
Registered: Oct 2003
Location: Canada
Posts: 741

Rep: Reputation: 58

Quote:
Originally Posted by Emerson View Post
I do not run Ubuntu, but there is no way it is unavailable in Ubuntu repos.
Code:
login as: root
root@server's password:
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.2.0-24-virtual x86_64)

 * Documentation:  https://help.ubuntu.com/
Last login: Fri Apr 11 16:32:08 2014 from d207-216-88-93.bchsia.telus.net
root@wh33t:~# apt-get update
Hit http://archive.ubuntu.com precise Release.gpg
Get:1 http://archive.ubuntu.com precise-updates Release.gpg [198 B]
Hit http://archive.ubuntu.com precise Release
Get:2 http://archive.ubuntu.com precise-updates Release [49.6 kB]
Hit http://archive.ubuntu.com precise/main amd64 Packages
Hit http://archive.ubuntu.com precise/universe amd64 Packages
Hit http://archive.ubuntu.com precise/main i386 Packages
Hit http://archive.ubuntu.com precise/universe i386 Packages
Hit http://archive.ubuntu.com precise/main TranslationIndex
Hit http://archive.ubuntu.com precise/universe TranslationIndex
Get:3 http://archive.ubuntu.com precise-updates/main amd64 Packages [764 kB]
Get:4 http://archive.ubuntu.com precise-updates/universe amd64 Packages [239 kB]
Get:5 http://archive.ubuntu.com precise-updates/main i386 Packages [788 kB]
Get:6 http://archive.ubuntu.com precise-updates/universe i386 Packages [244 kB]
Hit http://archive.ubuntu.com precise-updates/main TranslationIndex
Hit http://archive.ubuntu.com precise-updates/universe TranslationIndex
Hit http://archive.ubuntu.com precise/main Translation-en
Hit http://archive.ubuntu.com precise/universe Translation-en
Hit http://archive.ubuntu.com precise-updates/main Translation-en
Hit http://archive.ubuntu.com precise-updates/universe Translation-en
Get:7 http://security.ubuntu.com precise-security Release.gpg [198 B]
Get:8 http://security.ubuntu.com precise-security Release [49.6 kB]
Get:9 http://security.ubuntu.com precise-security/main amd64 Packages [376 kB]
Get:10 http://security.ubuntu.com precise-security/main i386 Packages [402 kB]
Hit http://security.ubuntu.com precise-security/main TranslationIndex
Hit http://security.ubuntu.com precise-security/main Translation-en
Fetched 2,912 kB in 34s (84.5 kB/s)
Reading package lists... Done
root@wh33t:~# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@wh33t:~#
According to http://filippo.io/Heartbleed/#server.net:10000 I'm still vulnerable.
 
Old 04-11-2014, 10:56 PM   #47
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 6,316

Rep: Reputation: Disabled
dpkg -s <packagename>

What does it show for openssl?
 
Old 04-11-2014, 10:59 PM   #48
wh33t
Member
 
Registered: Oct 2003
Location: Canada
Posts: 741

Rep: Reputation: 58
Quote:
Originally Posted by Emerson View Post
dpkg -s <packagename>

What does it show for openssl?
Code:
root@wh33t:~# dpkg -s openssl
Package: openssl
Status: install ok installed
Priority: optional
Section: utils
Installed-Size: 901
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Version: 1.0.1-4ubuntu5.12
Depends: libc6 (>= 2.15), libssl1.0.0 (>= 1.0.1)
Suggests: ca-certificates
Conffiles:
 /etc/ssl/openssl.cnf ce31ab5015842bf7c2939514a634e0e4
Description: Secure Socket Layer (SSL) binary and related cryptographic tools
 This package contains the openssl binary and related tools.
 .
 It is part of the OpenSSL implementation of SSL.
 .
 You need it to perform certain cryptographic actions like:
  -  Creation of RSA, DH and DSA key parameters;
  -  Creation of X.509 certificates, CSRs and CRLs;
  -  Calculation of message digests;
  -  Encryption and decryption with ciphers;
  -  SSL/TLS client and server tests;
  -  Handling of S/MIME signed or encrypted mail.
Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
 
Old 04-11-2014, 11:05 PM   #49
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 6,316

Rep: Reputation: Disabled
As I said, I do not run Ubuntu, but you do. Get familiar with Ubuntu sources.

http://www.ubuntu.com/usn/usn-2165-1/
 
Old 04-11-2014, 11:39 PM   #50
wh33t
Member
 
Registered: Oct 2003
Location: Canada
Posts: 741

Rep: Reputation: 58
Aye, I'm quite the linux novice.

So if I'm up to date then any ideas why that website says I'm still vulnerable?
 
Old 04-11-2014, 11:40 PM   #51
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 6,316

Rep: Reputation: Disabled
Probably it checks your version and gives you a false positive.
 
Old 04-12-2014, 03:01 AM   #52
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Moved: wh33ts thread was merged into the existing "CVE-2014-0160: Heartbleed Bug: OpenSSL Vulnerability" thread to keep important same topic threads in one place and get the exposure they deserve.
 
Old 04-14-2014, 04:18 AM   #53
ilesterg
Member
 
Registered: Jul 2012
Location: Kuala Lumpur
Distribution: Debian, CentOS/RHEL
Posts: 582

Rep: Reputation: 61
Our application server admins are quite in a panic right now, I don't understand why they receive the news just now. :|

Anyway, I run Debian 7 and the version is the repo is the latest I think.
 
Old 04-14-2014, 04:25 AM   #54
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Quote:
Originally Posted by wh33t View Post
Aye, I'm quite the linux novice.

So if I'm up to date then any ideas why that website says I'm still vulnerable?
Most of them cache the response and don't 'really' check again for a period of time.. It can also be a false positive (as mentioned above) or maybe you forgot to restart the http server!?
 
Old 04-14-2014, 04:31 AM   #55
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Quote:
Originally Posted by ilesterg View Post
Our application server admins are quite in a panic right now, I don't understand why they receive the news just now. :|

Anyway, I run Debian 7 and the version is the repo is the latest I think.
Well, it seems it was patched yesterday.. But be careful, according to the version it will give false positives on some scanners..
 
Old 04-14-2014, 04:36 AM   #56
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Please keep in mind that there is still one security bug (which would normally be critical if not eclipsed by heartbleed) still affecting squeeze and wheezy... (
https://security-tracker.debian.org/.../CVE-2014-0076
 
Old 04-14-2014, 09:35 AM   #57
ilesterg
Member
 
Registered: Jul 2012
Location: Kuala Lumpur
Distribution: Debian, CentOS/RHEL
Posts: 582

Rep: Reputation: 61
Quote:
Originally Posted by Smokey_justme View Post
Well, it seems it was patched yesterday.. But be careful, according to the version it will give false positives on some scanners..
Hi, I think I missed things. How do I apply the update? apt-get can't see any update.

Cheers!

Last edited by ilesterg; 04-14-2014 at 09:38 AM.
 
Old 04-14-2014, 10:42 AM   #58
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Hmm, what repositories are you searching in?
Keep in mind that "Squeeze" is not affected at all by heartbleed (so no update) and the update for "Wheezy" is in "wheezy-security"
 
Old 04-14-2014, 09:22 PM   #59
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian,Ubuntu,Slackware
Posts: 479

Rep: Reputation: 48
Hi, I hope I'm the right thread. My question is related to heartbleed so I think it could be useful here...

Some organizations are claiming that they are detecting heartbleed attacks after the fact (eg, Canada Revenue Agency). For this to be possible, they (or a separate security outfit) would have to be doing some massive traffic recording. They would then have to go back and do some deep packet analysis (of SYN packets only?) to check for abnormal packets to see when a heartbleed attack happened, and what data was leaked by the server. Is this essentially correct? I'd like to know more about this stuff...
 
Old 04-14-2014, 10:32 PM   #60
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Provided you have the hardware and infra its quite doable: search the old Snort mailing list posts (or Sourcefire docs) for what they say Snort can handle. There exist quite a few Snort and Suricata rules now (below listed are FBI Private Industry Notification 140410-001, though obviously the SID numbers are wrong if you run Snort Community, Emerging Threats and or Sourcefire rule sets):
Code:
alert tcp any any < > any [443,465,563,636,695,898,989,990,992,993,994,995,2083,2087,2096,2484,8443,8883,9091] (content:"|18 03 00|"; depth: 3; content:"|01|"; distance: 2; within: 1; content:!"|00|"; within: 1; msg: "SSLv3 Malicious Heartbleed Request V2; sid: 1;)

alert tcp any any < > any [443,465,563,636,695,898,989,990,992,993,994,995,2083,2087,2096,2484,8443,8883,9091] (content:"|18 03 01|"; depth: 3; content:"|01|"; distance: 2; within: 1; content:!"|00|"; within: 1; msg: "TLSv1 Malicious Heartbleed Request V2"; sid: 2;)

alert tcp any any < > any [443,465,563,636,695,898,989,990,992,993,994,995,2083,2087,2096,2484,8443,8883,9091] (content:"|18 03 02|"; depth: 3; content:"|01|"; distance: 2; within: 1; content:!"|00|"; within: 1; msg: "TLSv1.1 Malicious Heartbleed Request V2"; sid: 3;)

alert tcp any any < > any [443,465,563,636,695,898,989,990,992,993,994,995,2083,2087,2096,2484,8443,8883,9091] (content:"|18 03 03|"; depth: 3; content:"|01|"; distance: 2; within: 1; content:!"|00|"; within: 1; msg: "TLSv1.2 Malicious Heartbleed Request V2"; sid: 4;)
*Also see Sourcefire Snort SIDs 30510 through 30517, Cisco IPS sigs 4187/0 and 4187/1 and the Fox-IT Snort v1 / v2 sigs.
 
  


Reply

Tags
cve-2014-0160, openssl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How to find out if your server is affected from Openssl Heartbleed vulnerability (CVE-2014-016 LXer Syndicated Linux News 0 04-08-2014 10:20 AM
LXer: Heartbleed: Serious OpenSSL zero day vulnerability revealed LXer Syndicated Linux News 1 04-08-2014 07:38 AM
CVE-2014-0038: Linux Kernel Remote Memory Corruption Vulnerability unSpawn Linux - Security 1 02-19-2014 01:05 AM
CVE-2014-0038: Linux Kernel Remote Memory Corruption Vulnerability unSpawn Linux - News 0 01-31-2014 10:09 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration