[170769] in North American Network Operators' Group
Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
daemon@ATHENA.MIT.EDU (Maxim Khitrov)
Tue Apr 8 13:08:28 2014
In-Reply-To: <F2317B15-3F67-4BAE-B41C-9E1DAD2FDC76@ianai.net>
From: Maxim Khitrov <max@mxcrypt.com>
Date: Tue, 8 Apr 2014 13:07:00 -0400
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Here's mine, written in Go:
http://code.google.com/p/mxk/source/browse/go1/tlshb/
To build the binary, install Mercurial, install Go (golang.org), set
GOPATH to some empty directory, then run:
go get code.google.com/p/mxk/go1/tlshb
- Max
On Tue, Apr 8, 2014 at 12:16 PM, Patrick W. Gilmore <patrick@ianai.net> wro=
te:
> Lots of tools available. I'm with ferg, surprised more haven't been menti=
oned here.
>
> Tools to check for the bug:
> =E2=80=A2 on your own box: https://github.com/musalbas/heartbleed=
-masstest/blob/master/ssltest.py
> =E2=80=A2 online: http://filippo.io/Heartbleed/ (use carefully as=
they might log what you check)
> =E2=80=A2 online: http://possible.lv/tools/hb/
> =E2=80=A2 offline: https://github.com/tdussa/heartbleed-masstest =
<--- Tobias Dussa, also Takes a CSV file with host names for input and port=
s as parameter
> =E2=80=A2 offline: http://s3.jspenguin.org/ssltest.py
> =E2=80=A2 offline: https://github.com/titanous/heartbleeder
>
> List of vulnerable Linux distributions: <http://www.circl.lu/pub/tr-21/>.
>
> Anyone have any more?
>
> --
> TTFN,
> patrick
>
>
> On Apr 08, 2014, at 12:11 , Jonathan Lassoff <jof@thejof.com> wrote:
>
>> For testing, I've had good luck with
>> https://github.com/titanous/heartbleeder and
>> https://gist.github.com/takeshixx/10107280
>>
>> Both are mostly platform-independent, so they should be able to work eve=
n
>> if you don't have a modern OpenSSL to test with.
>>
>> Cheers and good luck (you're going to need it),
>> jof
>>
>> On Tue, Apr 8, 2014 at 5:03 PM, Michael Thomas <mike@mtcc.com> wrote:
>>
>>> Just as a data point, I checked the servers I run and it's a good thing=
I
>>> didn't reflexively update them first.
>>> On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't ha=
ve
>>> the vulnerability, but the
>>> ones queued up for update do. I assume that redhat will get the patched
>>> version soon but be careful!
>>>
>>> Mike
>>>
>>>
>>> On 04/07/2014 10:06 PM, Paul Ferguson wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA256
>>>>
>>>> I'm really surprised no one has mentioned this here yet...
>>>>
>>>> FYI,
>>>>
>>>> - - ferg
>>>>
>>>>
>>>>
>>>> Begin forwarded message:
>>>>
>>>> From: Rich Kulawiec <rsk@gsp.org> Subject: Serious bug in
>>>>> ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
>>>>> 9:27:40 PM EDT
>>>>>
>>>>> This reaches across many versions of Linux and BSD and, I'd
>>>>> presume, into some versions of operating systems based on them.
>>>>> OpenSSL is used in web servers, mail servers, VPNs, and many other
>>>>> places.
>>>>>
>>>>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
>>>>> revealed
>>>>> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerabilit=
y-
>>>>> revealed-7000028166/
>>>>>
>>>>> Technical details: Heartbleed Bug http://heartbleed.com/
>>>>>
>>>>> OpenSSL versions affected (from link just above): OpenSSL 1.0.1
>>>>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
>>>>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
>>>>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>>>>>
>>>>>
>>>> - -- Paul Ferguson
>>>> VP Threat Intelligence, IID
>>>> PGP Public Key ID: 0x54DC85B2
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v2.0.22 (MingW32)
>>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>>
>>>> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
>>>> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
>>>> =3DaAzE
>>>> -----END PGP SIGNATURE-----
>>>>
>>>
>>>
>>>
>
