LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

April 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS April 2014

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: OpenSSL Vulnerability
From:	"P. Larry Nelson" <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Tue, 8 Apr 2014 12:54:17 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (138 lines)

In case this helps, here's what our campus security folks sent out this morning.

==============================================================================

Mitigation:
"Affected users should upgrade to OpenSSL 1.0.1g. Users unable to
immediately upgrade can alternatively recompile OpenSSL with
- -DOPENSSL_NO_HEARTBEATS."

Quick remote test for potential vulnerability (from linux):
echo ""|openssl s_client -connect $MYHOST:443 -tlsextdebug 2>&1 \
  | egrep 'heartbeat'

An example response of a potentially vulnerable host would be:
TLS server extension "heartbeat" (id=15), len=1

Quick local check for vulnerability:
openssl version -a
Any version other than 1.0.1 through 1.0.1f should be safe. In any
1.0.1 version if the -DOPENSSL_NO_HEARTBEATS flag listed in the
compiler flags that should mean you're safe.

Spot check:

openssl version -a| grep -oE '1.0.1[a-g]{1}?|DOPENSSL_NO_HEARTBEATS'

This should give you the version, if it's 1.0.1, and if the
OPENSSL_NO_HEARTBEATS was listed.

Adding to the spot checks above, once you patch with the official
patches from Ubuntu/Debian/RHEL these simple openssl checks will still
show the heartbeat extension enabled but it shouldn't be vulnerable
anymore. If you have access to Qualys for scanning, the QID for
scanning for this vulnerability is 42430.

The http://heartbleed.com/ site recommends re-issuing certificates
in case of prior compromise of existing private keys as there is no
way to differentiate from normal traffic.

We are recommending to our users to do this as well as any credentials
used over the SSL connection, especially in the last few days. The
vulnerability is easily exploitable and a few tests have returned
valid session cookies at the very least. Supposedly the server's
private key can be exposed as well. Passively there's no way to
determine if this is being exploited. I haven't had time to test with
debugging enabled.

=======================================================================


Jamie Duncan wrote on 4/8/2014 12:44 PM:
> The bug was only applicable to RHEL/CentOS/OEL/SL 6.5+
> https://access.redhat.com/site/solutions/781793
>
>
>
> On Tue, Apr 8, 2014 at 1:36 PM, Jeffrey Anderson <[log in to unmask]
> <mailto:[log in to unmask]>> wrote:
>
>     Is SL5 vulnerable, and will there be a patch?
>
>
>
>
>     On Tue, Apr 8, 2014 at 7:10 AM, Pat Riehecky <[log in to unmask]
>     <mailto:[log in to unmask]>> wrote:
>
>         The updated package should be available now.
>
>         Pat
>
>
>         On 04/08/2014 05:43 AM, Adam Bishop wrote:
>
>             Good Morning,
>
>             I’ve not seen a fixed OpenSSL package drop into the repo’s as of yet.
>
>             Apologies for asking the question, but how quickly will this be
>             packaged and made available (i.e. should I start building the
>             package myself)?
>
>             Regards,
>
>             Adam Bishop
>             Systems Development Specialist
>
>                 gpg: 0x6609D460
>                   t: +44 (0)1235 822 245 <tel:%2B44%20%280%291235%20822%20245>
>                xmpp: [log in to unmask] <mailto:[log in to unmask]>
>
>             Janet, the UK's research and education network.
>
>
>             Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
>             not-for-profit company which is registered in England under No. 2881024
>             and whose Registered Office is at Lumen House, Library Avenue,
>             Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>
>
>
>         --
>         Pat Riehecky
>
>         Scientific Linux developer
>         http://www.scientificlinux.__org/ <http://www.scientificlinux.org/>
>
>
>
>
>     --
>     --------------------------------------------------------------
>     Jeffrey Anderson                        | [log in to unmask]
>     <mailto:[log in to unmask]>
>     Lawrence Berkeley National Laboratory   |
>     Office: 50A-5104E                       | Mailstop 50A-5101
>     Phone: 510 486-4208 <tel:510%20486-4208>                     | Fax: 510
>     486-4204 <tel:510%20486-4204>
>
>
>
>
> --
> Thanks,
>
> Jamie Duncan
> @jamieeduncan
>


-- 
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab                 | High Energy Physics Group
1110 W. Green St., Urbana, IL  | Physics Dept., Univ. of Ill.
MailTo:[log in to unmask]    | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
  "Information without accountability is just noise."  - P.L. Nelson

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV