Welcome Guest. Please Login or Register  


You are here: Index > Webuzo > General Support > Topic : Heartbleed Vulnerability



Threaded Mode | Print  

 Heartbleed Vulnerability (10 Replies, Read 9445 times)
mark012492
Group: Member
Post Group: Newbie
Posts: 7
Status:
Will you be releasing an update for the openssl app to address the heartbleed vulnerability or do I need to compile from source?


rhn.redhat.com/errata/RHSA-2014-0376.html
heartbleed.com
www.openssl.org/news/secadv_20140407.txt
www.spinics.net/lists/centos-announce/msg04911.html

IP: --   

Heartbleed Vulnerability
divij
Group: Member
Post Group: Elite Member
Posts: 290
Status:
Hi,

Sir we have launch the new version of oppenssl.

Please open a support ticket with your server root detail we will install it on your server.
IP: --   

Heartbleed Vulnerability
mark012492
Group: Member
Post Group: Newbie
Posts: 7
Status:
As I currently have quite a few servers could you please post a wiki or instructions on how to do it so I can push it out to all of them.

Regards,
IP: --   

Heartbleed Vulnerability
teyhouse
Group: Member
Post Group: Newbie
Posts: 3
Status:
I managed to fix it my self. I tested everything with the last OpenSSL-Binary and it worked very well:

Just download the latest OpenSSL-Files:
http://slproweb.com/download/Win32OpenSSL_Light-1_0_1g.exe

Extract them to a place of your choice and copy and replace the libeay32.dll, libssl32.dll and ssleay32.dll from the mainfolder (the place you extracted your files to) and all the files within the bin- folder to the ampps apache/bin folder. Restart ampps and everything is "secure" - by whatever this means to you :-D
IP: --   

Heartbleed Vulnerability
mark012492
Group: Member
Post Group: Newbie
Posts: 7
Status:
Hey, thanks for update and I hope that any windows users benefit however I am running centOS so that does not apply.


IP: --   

Heartbleed Vulnerability
teyhouse
Group: Member
Post Group: Newbie
Posts: 3
Status:
Even if you are running centOS - replacing the OpenSSL-Binarys should work for you.
IP: --   

Heartbleed Vulnerability
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
OpenSSL new version will be installed with the next update or i have to open a support ticket?


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Heartbleed Vulnerability
valley
Group: Webuzo Team
Post Group: Super Member
Posts: 1644
Status:
Follow this guide for the FIX
http://www.webuzo.com/blog/how-to/heartbleed-vulnerability-fix-on-webuzo-2654.html


-----------------------
Webuzo : Single User Control Panel
Join Webuzo :
Facebook
Twitter

IP: --   

Heartbleed Vulnerability
mark012492
Group: Member
Post Group: Newbie
Posts: 7
Status:
Excellent. Verified that it works. Thank you.
IP: --   

Heartbleed Vulnerability
valley
Group: Webuzo Team
Post Group: Super Member
Posts: 1644
Status:
Glad to learn that it worked for you !!!

-----------------------
Webuzo : Single User Control Panel
Join Webuzo :
Facebook
Twitter

IP: --   

Heartbleed Vulnerability
optsoft
Group: Member
Post Group: Newbie
Posts: 38
Status:
Background:

If I understood Heartbleed correctly, there was a pointer assignment without a bounds check in the C source code of the heartbeat extension to OpenSSL, leading to a buffer overflow attack wherein a correctly crafted heartbeat request would make a vulnerable server dump upto 64k blocks of RAM with no checks on whether that 64k block crosses over into RAM areas of other apps.

This means HB allows an attacker to slowly read the RAM contents of the server.

This means the following are possibly compromised (assuming worst case):
1. unix usernames - so if you made any smart username to get some additional security, that's gone. Not only that if /etc/passwd is read, then all additional users by and for OS services are also exposed.
2. unix password hash - depending on how good the attacker is at reversing / matching hashes, your password is gone. If there is an area in RAM (timing is important) that your password is being compared with the hash (you are logging in) then your password is in plaintext - for computing the hash to compare with the stored one.
3. SSL certificates, private keys - this is the real blow.
The attacked does nothing, just reads your certs and keys and henceforth copies all encrypted traffic between you and the server, and puts a couple of servers to the task of decrypting your entire traffic. In maybe 10MB of traffic that you cause in one session logged in to any secure app, at 2-3 locations passwords will be moved around. This is what he is looking for.
Slowly, he builds a database of all your information.
Attacker does this for every server that is HB vulnerable and attacks communication and all users of all such servers.
Now he has a huge DB of private info to sell. He may also sell the certs and keys on the darknet.

Effectively, you as a user, and worse, as a server administrator, have no idea how much data has been slowly accumulated by some random node on the internet between you and the server. Or if you are not paying attention to your logs, maybe someone has logged in and read everything.
And you wont know a thing about it.

Question:

The most worrying part is that your certificates and keys that you use, thinking that you have patched the HB vulnerability are still known to the attacker.

So any Heartbleed vulnerable server is not cleaned up until every password of every user is changed AFTER every SSL key and SSL cert is revoked and reissued. Am i right?

I deleted and re-issued all my Apache SSL keys and certs.

However, I am unable to delete and re-issue the control panel certificate. Please instruct as to how that is done. I changed all certs and keys from IP to primary domain to all addon domains.
But the SSL cert I get on the control ports has not changed.

I guess this is the cert with webuzo's nginx and it might have a separate location from certs for the web server?

Thanks in advance.
optsoft
IP: --   

« Previous    Next »

Threaded Mode | Print  



Jump To :


Users viewing this topic
1 guests, 0 users.


All times are GMT. The time now is March 28, 2024, 8:38 am.

  Powered By AEF 1.0.8 © 2007-2008 Electron Inc.Queries: 11  |  Page Created In:0.021