Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2014-04-09 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Testing for Heartbleed

Published: 2014-04-09
Last Updated: 2014-04-09 21:53:10 UTC
by Mark Hofman (Version: 1)
6 comment(s)

There are a fair few sites popping up testing for this issue.  I know this is possibly overly motherly, sorry, but be careful.  You may not know who is running the site, what they are actually testing for and what is done with the information collected.  Consider sticking to the main sites and known security organisations.  

Metasploit now has a module out (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb). NMAP likewise has a check.  QUALYS has their SSLLABS page.  Other security vendors are also providing checks in their scanning products.  

Not saying the free scanners are "evil", just saying be careful what you use.  

Cheers

Mark H

Keywords:
6 comment(s)

Heartbleed vendor notifications

Published: 2014-04-09
Last Updated: 2014-04-09 21:45:56 UTC
by Mark Hofman (Version: 1)
76 comment(s)
As people are running around having an entertaining day we thought it might be a good idea to keep track of the various vendor notifications.   I'd like to start a list here and either via comments or sending it let us know of vendor notifications relating to this issue.   Please provide comments to the original article relating to the vulnerability itself,  and use this post to only provide links to vendor notifications rather than articles etc about the issue.  
 
So far:  
  • CACert - https://blog.cacert.org/2014/04/openssl-heartbleed-bug/
  • Cisco - http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
  • Fortinet - http://www.fortiguard.com/advisory/FG-IR-14-011/
  • Gentoo Linux - http://www.gentoo.org/security/en/glsa/glsa-201404-07.xml
  • Juniper -  http://kb.juniper.net/InfoCenter/index?page=content&id=KB29004 (login required)
  • Juniper - http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623
  • F5 - http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
  • Novell - http://support.novell.com/security/cve/CVE-2014-0160.html 
  • OpenVPN - https://community.openvpn.net/openvpn/wiki/heartbleed
  • Aruba - http://www.arubanetworks.com/support/alerts/aid-040814.asc
  • CheckPoint - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100173
  • openssl - https://www.openssl.org/news/secadv_20140407.txt
  • redhat - https://access.redhat.com/security/cve/CVE-2014-0160
  • Slackware - hxxp://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.533622
  • sparklabs/viscosity openvpn client - https://www.sparklabs.com/viscosity/releasenotes/
  • watchguard - http://watchguardsecuritycenter.com/2014/04/08/the-heartbleed-openssl-vulnerability-patch-openssl-asap/
  • viscosity - https://www.sparklabs.com/blog/
There are no doubt more please add them via comments.   Please stick to security related products, operating systems and core infrastructure items.  
 
Apple users: OS X Mavericks (10.9) ships by default with OpenSSL 0.9.8. However, if you are using mac ports, OpenSSL 1.0.1 is installed. An update is available (run "sudo upgrade outdated").
 
an NMAP script has also been released to check for the vunerability According to the tweet "script ssl-heartbleed.nse committed to #nmap as rev 32798"  That should help speed up checking.  
 
We have started seeing active checking for this issue, so I would encourage people to hurry up and patch. 
 
Cheers
 
Mark H
Keywords:
76 comment(s)
ISC StormCast for Wednesday, April 9th 2014 http://isc.sans.edu/podcastdetail.html?id=3927
Diary Archives