Author Topic: Everyone panic: Critical OpenSSL vulnerability: the "heartbleed" bug  (Read 3171 times)

0 Members and 4 Guests are viewing this topic.

Offline vezzy

  • Royal Highness
  • ****
  • Posts: 771
  • Cookies: 172
    • View Profile
http://heartbleed.com/

tl;dr TLS basically hasn't been working for the past 2 years or so. Upgrade your distribution packages or recompile with -DOPENSSL_NO_HEARTBEATS. If you're a webmaster, it is imperative that all certs and keys be revoked and regenerated. Note that most of the web is vulnerable, so it'll take a while for most infrastructure to upgrade, assuming people even bother. Consider changing all passwords once you're sure sites have upgraded to 1.0.1g, if you're that paranoid.

This is all a miserable spectacle.
Quote from: Dippy hippy
Just brushing though. I will be semi active mainly came to find a HQ botnet, like THOR or just any p2p botnet

Offline Architect

  • Sir
  • ***
  • Posts: 428
  • Cookies: 56
  • STFU
    • View Profile
    • Rootd IRC
Re: Everyone panic: Critical OpenSSL vulnerability: the "heartbleed" bug
« Reply #1 on: April 08, 2014, 01:06:42 am »
I've completely recompiled Tor and openssl tonight.. fuck. On both my home and remote box.
I also will upload a clean 64bit .deb for those wishing to fix their shit quickly.

Edit:

openssl-1.0.1g-securityfix.zip:
http://upload.evilzone.org/download.php?id=9365161&type=zip
https://www.virustotal.com/en/file/0c39147d9b5efb486abbdbeb1ee685f65d53b4a4ca302d925295689ac40cafe0/analysis/1396912597/

And just openssl_1.0.1g-1_amd64.deb (amd64 systems only):
https://www.virustotal.com/en/file/1124f4af5bf5546e2c91d1b0cc2a6a8b38a3db124b9c516823936bb9312fbf20/analysis/1396911829/
« Last Edit: April 08, 2014, 01:21:25 am by Architect »

Offline Matriplex

  • Knight
  • **
  • Posts: 323
  • Cookies: 66
  • Java
    • View Profile
Re: Everyone panic: Critical OpenSSL vulnerability: the "heartbleed" bug
« Reply #2 on: April 08, 2014, 01:20:02 am »
Well this is an "interesting" turn of events.
\x64\x6F\x75\x65\x76\x65\x6E\x00

Offline vezzy

  • Royal Highness
  • ****
  • Posts: 771
  • Cookies: 172
    • View Profile
Re: Everyone panic: Critical OpenSSL vulnerability: the "heartbleed" bug
« Reply #3 on: April 08, 2014, 01:38:09 am »
Debian and Ubuntu already pushed upgraded packages to upstream just a couple of hours ago. Other distros should follow next.
Quote from: Dippy hippy
Just brushing though. I will be semi active mainly came to find a HQ botnet, like THOR or just any p2p botnet

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: Everyone panic: Critical OpenSSL vulnerability: the "heartbleed" bug
« Reply #4 on: April 08, 2014, 07:31:27 am »
Holy cows
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline iTpHo3NiX

  • EZ's Pirate Captain
  • Administrator
  • Titan
  • *
  • Posts: 2920
  • Cookies: 328
    • View Profile
    • EvilZone
Re: Everyone panic: Critical OpenSSL vulnerability: the "heartbleed" bug
« Reply #5 on: April 08, 2014, 07:56:24 am »
Can't say I'm too thrilled about this vulnerability... anyone know if big companies like google, etc use OpenSSL
[09:27] (+lenoch) iTpHo3NiX can even manipulate me to suck dick
[09:27] (+lenoch) oh no that's voluntary
[09:27] (+lenoch) sorry

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: Everyone panic: Critical OpenSSL vulnerability: the "heartbleed" bug
« Reply #6 on: April 08, 2014, 08:19:55 am »
They do , thats the point.
Think embedded devices,phones,webservers,vpn.. we are talking massive worldwide impact.
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline iTpHo3NiX

  • EZ's Pirate Captain
  • Administrator
  • Titan
  • *
  • Posts: 2920
  • Cookies: 328
    • View Profile
    • EvilZone
Re: Everyone panic: Critical OpenSSL vulnerability: the "heartbleed" bug
« Reply #7 on: April 08, 2014, 08:27:19 am »
Yes but is OpenSSL the only service to supply SSL/TLS encryption? Anyone can generate and install that, and could purposely use an infected version to make a phisher, etc. So Amazon amd all of the big corperations use OpenSSL or a proprietary closed source version that doesn't have the heartbreak vulnerability...
[09:27] (+lenoch) iTpHo3NiX can even manipulate me to suck dick
[09:27] (+lenoch) oh no that's voluntary
[09:27] (+lenoch) sorry

Offline Stackprotector

  • Administrator
  • Titan
  • *
  • Posts: 2515
  • Cookies: 205
    • View Profile
Re: Everyone panic: Critical OpenSSL vulnerability: the "heartbleed" bug
« Reply #8 on: April 08, 2014, 10:34:32 am »
For debian users:

fixed 743883 + 1.0.1-g
fixed 743883 + 1.0.1e-2+deb7u5

Evilzone is Up To Date :D
~Factionwars

Offline vezzy

  • Royal Highness
  • ****
  • Posts: 771
  • Cookies: 172
    • View Profile
Re: Everyone panic: Critical OpenSSL vulnerability: the "heartbleed" bug
« Reply #9 on: April 08, 2014, 03:33:12 pm »
Yes but is OpenSSL the only service to supply SSL/TLS encryption? Anyone can generate and install that, and could purposely use an infected version to make a phisher, etc. So Amazon amd all of the big corperations use OpenSSL or a proprietary closed source version that doesn't have the heartbreak vulnerability...

Pretty much the entire globe uses OpenSSL. After that it's GnuTLS, which is primarily used only by the GNOME Project, and most notably CUPS, but that's about it.

Apple rolls their own, I believe, though I'm not sure. It might simply be an Obj-C wrapper around OpenSSL.

Funny thing is all three of these SSL implementations have had critical bugs all within this year.
Quote from: Dippy hippy
Just brushing though. I will be semi active mainly came to find a HQ botnet, like THOR or just any p2p botnet

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: Everyone panic: Critical OpenSSL vulnerability: the "heartbleed" bug
« Reply #10 on: April 08, 2014, 03:43:51 pm »
Pretty much the entire globe uses OpenSSL. After that it's GnuTLS, which is primarily used only by the GNOME Project, and most notably CUPS, but that's about it.

Apple rolls their own, I believe, though I'm not sure. It might simply be an Obj-C wrapper around OpenSSL.

Funny thing is all three of these SSL implementations have had critical bugs all within this year.
Yeah funny how SSL/TLS is slowly loosing it's status as uncrackable, eventhough it are all implementation issues thus far.
But apart from CRIME, which was not so big, this is the first real server side vuln, massive impact.
I have been doing some tests myself and found major gov websites to still be vuln as we speak.
Parties like google amongst other players seem to have patched already.
« Last Edit: April 08, 2014, 03:44:26 pm by proxx »
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline techb

  • Soy Sauce Feeler
  • Global Moderator
  • King
  • *
  • Posts: 2350
  • Cookies: 345
  • Aliens do in fact wear hats.
    • View Profile
    • github
Re: Everyone panic: Critical OpenSSL vulnerability: the "heartbleed" bug
« Reply #11 on: April 08, 2014, 03:47:52 pm »
I wonder how something bleeding edge [really no pun intended] like Arch would be? It is updated instantly, and no need to wait 6 months or a year for releases.
>>>import this
-----------------------------

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: Everyone panic: Critical OpenSSL vulnerability: the "heartbleed" bug
« Reply #12 on: April 08, 2014, 03:51:30 pm »
I wonder how something bleeding edge [really no pun intended] like Arch would be? It is updated instantly, and no need to wait 6 months or a year for releases.
Most distro's pushed it or are pushing it as we speak.
Embedded devices and alike however...
Good thing is that old servers are not vuln, so if its old nough its oke.
« Last Edit: April 08, 2014, 03:52:23 pm by proxx »
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline RedBullAddicted

  • Moderator
  • Sir
  • *
  • Posts: 519
  • Cookies: 189
    • View Profile
Re: Everyone panic: Critical OpenSSL vulnerability: the "heartbleed" bug
« Reply #13 on: April 08, 2014, 04:00:39 pm »
Was just wondering if I need to update our Cisco Firewalls we use for SSL VPNs too. It seems I am pretty lucky :)

http://security.stackexchange.com/questions/55085/heartbleed-and-routers-asas-other
Deep into that darkness peering, long I stood there, wondering, fearing, doubting, dreaming dreams no mortal ever dared to dream before. - Edgar Allan Poe

Offline s3my0n

  • Knight
  • **
  • Posts: 276
  • Cookies: 58
    • View Profile
    • ::1
Re: Everyone panic: Critical OpenSSL vulnerability: the "heartbleed" bug
« Reply #14 on: April 08, 2014, 04:46:01 pm »
Hmm, did anyone else think it might be NSA implanted bug?
Easter egg in all *nix systems: E(){ E|E& };E