[Cialug] CentOS SSL

Josh More jmore at starmind.org
Wed Apr 9 17:53:02 CDT 2014 

I don't have anything public, though some might be released at tonight's
SANS webcast.  (
https://www.sans.org/webcasts/openssl-heartbleed-vulnerability-98105 )

There has been a lot of discussion on several private security lists.
Signatures are being written for the common IDS systems (Tipping Point and
SourceFire are mostly what are being discussed) and people have been going
through their saved packet captures.  Many are reporting tons of hits
starting on Monday.  A smaller number are reporting hits stretching back
through the last year or two.

The problem is that you can't easily tell a legit heartbeat hit from a
malicious one. However, evidence strongly suggests that it's been actively
abused since Monday and likely abused prior to that.

If you have old packet captures to analyze, this might be the evidence you
need.  If not, it's your call as to whether it's worth the hassle. If you
are responsible for protecting a lot of people's sensitive information or a
few people's critical information, I'd say it probably is.  If not,
probably not.

-Josh



On Wed, Apr 9, 2014 at 5:28 PM, Daniel A. Ramaley
<daniel.ramaley at drake.edu>wrote:

> Do you have any links that back up the "growing evidence" that the bug
> has been exploited? Yesterday we had a fun night at work patching
> everything. But i'd like to make the argument to management that we
> really ought to rotate our certificates as well. Since we *just* did
> that due to expiration, i'm going to need some evidence to corroborate
> the need for it.
>
> On 2014-04-09 at 10:05:42 Josh More wrote:
> > Yep, the update for CentOS came out really early yesterday morning.
> >
> > Remember, after you update, restart Apache (and OpenVPN if you're
> > using it).  Then regen your keys and have new certs issued.
> >
> > There is growing evidence that people have been collecting data using
> > this bug, and this bug is two years old.  There's no way to be sure
> > your data was compromised, so you're best off just regenerating
> > everything you need.
> >
> > -Josh
> >
> > On Wed, Apr 9, 2014 at 9:47 AM, Daniel Sloan <dan.sloan at drake.edu>
> wrote:
> > > Here's a nice reference: http://heartbleed.com/
> > >
> > > From the site:
> > > "What versions of the OpenSSL are affected?
> > >
> > > Status of different versions:
> > >     OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
> > >     OpenSSL 1.0.1g is NOT vulnerable
> > >     OpenSSL 1.0.0 branch is NOT vulnerable
> > >     OpenSSL 0.9.8 branch is NOT vulnerable
> > >
> > > Bug was introduced to OpenSSL in December 2011 and has been out in
> > > the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL
> > > 1.0.1g released on 7th of April 2014 fixes the bug.....
> > >
> > >  How about operating systems?
> > >
> > > Some operating system distributions that have shipped with
> > > potentially>
> > > vulnerable OpenSSL version:
> > >     Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
> > >     Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
> > >     CentOS 6.5, OpenSSL 1.0.1e-15
> > >     Fedora 18, OpenSSL 1.0.1e-4
> > >     OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c
> > >     10
> > >
> > > May 2012)
> > >
> > >     FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
> > >     NetBSD 5.0.2 (OpenSSL 1.0.1e)
> > >     OpenSUSE 12.2 (OpenSSL 1.0.1c)
> > >
> > > Operating system distribution with versions that are not vulnerable:
> > >     Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
> > >     SUSE Linux Enterprise Server
> > >     FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
> > >     FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
> > >     FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)"
> > >
> > > Dan Sloan
> > > Systems Administrator
> > > College of Business and Public Administration
> > > Drake University
> > > Des Moines, IA 50311
> > > Phone # (515)-271-3705
> > > College Webpage:  http://www.cbpa.drake.edu
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: cialug-bounces at cialug.org [mailto:cialug-bounces at cialug.org]
> > > On
> > > Behalf Of L. V. Lammert
> > > Sent: Wednesday, April 09, 2014 9:19 AM
> > > To: Central Iowa Linux Users Group
> > > Subject: [Cialug] CentOS SSL
> > >
> > > Has anyone seen data on the Heartbleed status for CentOS? What
> > > versions are affected? Remediation?
> > >
> > >         Lee
> > >
> > > _______________________________________________
> > > Cialug mailing list
> > > Cialug at cialug.org
> > > http://cialug.org/mailman/listinfo/cialug
> > > _______________________________________________
> > > Cialug mailing list
> > > Cialug at cialug.org
> > > http://cialug.org/mailman/listinfo/cialug
> >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> __
> Daniel A. Ramaley
> Network Engineer 2
>
> Dial Center 122, Drake University
> 2407 Carpenter Ave / Des Moines IA 50311 USA
> Tel: +1 515 271-4540
> Fax: +1 515 271-1938
> E-mail: daniel.ramaley at drake.edu
>
>

More information about the Cialug mailing list