[170766] in North American Network Operators' Group
Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Tue Apr 8 12:18:19 2014
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <CAHsqw9t+kfSvYJxDMS2CbEEZZ-8-sFTg-3chngNq6+BxCphh4w@mail.gmail.com>
Date: Tue, 8 Apr 2014 12:16:12 -0400
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_836D50DA-47A9-416F-85AB-27E89C0968BD
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=windows-1252
Lots of tools available. I'm with ferg, surprised more haven't been =
mentioned here.
Tools to check for the bug:
=95 on your own box: =
https://github.com/musalbas/heartbleed-masstest/blob/master/ssltest.py
=95 online: http://filippo.io/Heartbleed/ (use carefully as they =
might log what you check)
=95 online: http://possible.lv/tools/hb/
=95 offline: https://github.com/tdussa/heartbleed-masstest <--- =
Tobias Dussa, also Takes a CSV file with host names for input and ports =
as parameter
=95 offline: http://s3.jspenguin.org/ssltest.py
=95 offline: https://github.com/titanous/heartbleeder
List of vulnerable Linux distributions: =
<http://www.circl.lu/pub/tr-21/>.
Anyone have any more?
--=20
TTFN,
patrick
On Apr 08, 2014, at 12:11 , Jonathan Lassoff <jof@thejof.com> wrote:
> For testing, I've had good luck with
> https://github.com/titanous/heartbleeder and
> https://gist.github.com/takeshixx/10107280
>=20
> Both are mostly platform-independent, so they should be able to work =
even
> if you don't have a modern OpenSSL to test with.
>=20
> Cheers and good luck (you're going to need it),
> jof
>=20
> On Tue, Apr 8, 2014 at 5:03 PM, Michael Thomas <mike@mtcc.com> wrote:
>=20
>> Just as a data point, I checked the servers I run and it's a good =
thing I
>> didn't reflexively update them first.
>> On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't =
have
>> the vulnerability, but the
>> ones queued up for update do. I assume that redhat will get the =
patched
>> version soon but be careful!
>>=20
>> Mike
>>=20
>>=20
>> On 04/07/2014 10:06 PM, Paul Ferguson wrote:
>>=20
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>=20
>>> I'm really surprised no one has mentioned this here yet...
>>>=20
>>> FYI,
>>>=20
>>> - - ferg
>>>=20
>>>=20
>>>=20
>>> Begin forwarded message:
>>>=20
>>> From: Rich Kulawiec <rsk@gsp.org> Subject: Serious bug in
>>>> ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
>>>> 9:27:40 PM EDT
>>>>=20
>>>> This reaches across many versions of Linux and BSD and, I'd
>>>> presume, into some versions of operating systems based on them.
>>>> OpenSSL is used in web servers, mail servers, VPNs, and many other
>>>> places.
>>>>=20
>>>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
>>>> revealed
>>>> =
http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-
>>>> revealed-7000028166/
>>>>=20
>>>> Technical details: Heartbleed Bug http://heartbleed.com/
>>>>=20
>>>> OpenSSL versions affected (from link just above): OpenSSL 1.0.1
>>>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
>>>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
>>>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>>>>=20
>>>>=20
>>> - -- Paul Ferguson
>>> VP Threat Intelligence, IID
>>> PGP Public Key ID: 0x54DC85B2
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2.0.22 (MingW32)
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>=20
>>> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
>>> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
>>> =3DaAzE
>>> -----END PGP SIGNATURE-----
>>>=20
>>=20
>>=20
>>=20
--Apple-Mail=_836D50DA-47A9-416F-85AB-27E89C0968BD
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQEcBAEBAgAGBQJTRCDMAAoJEHZX8udmu5TXLK0H/1fmxTO72noEf+pwcPxfe+Nc
W56MBM1QXfb9xd4SiE947UfXeZCE0pKmRYUZWvQW61dbuer7nXa5Yaf6C0O0ax0/
zZjHlcOFIOBkSFXDwNSRmLBPMdjU+FbBI4s0ADlByJjahluDx2ejgY+2GxD2J34C
mnp9JVPzg46CGnd4APRAsxXnqAmJmB/PcVFua+fA0h445g0wCfxk6EbAafvLxBG/
TgMt7sSNOib2TQvRortCy5PuyKtVo3sPE7dRg19gNBsU8c7b2I23HBXOMYmyYEDW
+btrG44VGjgPN7AFkBREt6AiI6EUa7LYtdY/rVDlgbSwYpcePM4xCCVZweeTTh4=
=uOzq
-----END PGP SIGNATURE-----
--Apple-Mail=_836D50DA-47A9-416F-85AB-27E89C0968BD--
