Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2014-04-11 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Heartbleed Fix Available for Download for Cisco Products

Published: 2014-04-11
Last Updated: 2014-04-11 23:42:27 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

The following Cisco products that were previously identified as vulnerable and have been remediated:

Cisco Registered Envelope Service (CRES)
Cisco Webex Messenger Service
Cisco USC Invicta Series Autosupport Portal

This following software has been fixed and is available for download, for all affected products:

Cisco AnyConnect Secure Mobility Client for iOS - Fixed in version 3.0(9353)
Cisco WebEx Messenger Server - Fixed in 2.0MR2
Cisco TelePresence Video Communication Server (VCS) - Fixed in X8.1.1

For additional information on Cisco product, follow this Cisco Security Advisory.

[1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

0 comment(s)
Tonight OpenSSL Webcast #4: Client Side Issues / What to tell your kids & managers about it https://www.sans.org/webcasts/side-heartbleed-client-vulnerabilities-98135
VMware Security Advisories / Patches released for 2 issues (NOT Heartbleed) - http://www.vmware.com/security/advisories/VMSA-2014-0003.html and http://www.vmware.com/security/advisories/VMSA-2014-0002.html

The Other Side of Heartbleed - Client Vulnerabilities

Published: 2014-04-11
Last Updated: 2014-04-11 12:16:23 UTC
by Rob VandenBrink (Version: 1)
3 comment(s)

We're getting reports of client applications that are vulnerable to the heartbleed issue.  Just as with server applications, these client applications are dependant on vulnerable versions of OpenSSL.

Another "patch soon" problem, you say?  The patch will be installed when the vendor ...  oh, wait a minute.  Just exactly when will your TV's manufacturer update the web browser on your TV?  And when will you be applying that patch?  How about your in-laws TV?  This vulnerability on the client side has the potential to be much longer-lived than on servers.

This combines the problem of the specific heartbleed vulnerabilty with the problem of embedded devices that may never be updated.  Or devices that are updated by vendors for a year or two after release, then abandoned when the new model comes out - home routers and TV sets are great examples of this situation, but so are medical devices.

To add to that list, there is a large contingent of Android phones that have updates maintained by the carrier instead of the manufacturer (google), and do not see frequent updates, or may never see an update.  These devices are used daily for almost everything - online banking comes immediately to mind.  The combination of a general purpose device and a vulnerability that exposes memory to an attacker (in this case, a malicious or infected server) has the potential for some widespread mayhem, for as long as that device remains in service (years instead of weeks or months)

Other applications that encrypt but we don't often think of as "clients" include traditional database software, cloud services clients, dedicated / custom browsers for online services like entertainment, even device drivers for hardware all need to be assessed.  It's also easy to say "client application XX is vulnerable", but that client application might exist on your PC, multiple tablet or phone platforms, TVs, DVRs, excercise equipment, fridges, thermostats - the list grows to include things that are smaller and smaller, that are less and less likely to be updated.

Client applications that are currently reported as vulnerable are:

  •     MariaDB 5.5.36
  •     wget 1.15 (leaks memory of earlier connections and own state)
  •     curl 7.36.0
  •     git 1.9.1 (tested clone / push, leaks not much)
  •     nginx 1.4.7 (in proxy mode, leaks memory of previous requests)
  •     links 2.8 (leaks contents of previous visits!)
  •     OwnCloud

(from http://security.stackexchange.com/questions/55119/does-the-heartbleed-vulnerability-affect-clients-as-severely )

If you've got confirmation of other vulnerable client applications, please post the relevant information (with links) in our comment section. 

===============
Rob VandenBrink
Metafore

Keywords: client heartbleed
3 comment(s)

How to talk to your kids (or manager) about "Heartbleed"

Published: 2014-04-11
Last Updated: 2014-04-11 12:15:54 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

With more mass-media attention to the heartbleed bug, we are getting more questions from "normal users" about the heartbleed bug.

The "Heartbleed" bug is not affecting end users using Windows. It does not affect standard Windows browsers (Internet Explorer, Firefox, Chrome). It may affect some selected third party software, but most likely, you do not need to patch anything. The only widely used consumer platform vulnerable is Android 4.1.1, but there isn't much you can do about it but wait for a patch for your phone.

However, it is possible that a web site you used is or was affected by "Heartbleed". The result may be that the password you are using on the site was captured by someone attacking this site. So you may need to change the password that you used on the site.

How do I know if a site is/was vulnerable?

Your best bet is https://lastpass.com/heartbleed/ . They will show you if a site is vulnerable right now, or may have been vulnerable in the past. Tehre is a chance that the site received a new certificate that still uses the old issue date, which can lead to sites being identified as "not fixed". 

Should I change my password?

If you think the site was vulnerable, and is no longer vulnerable, then you should change your password. If in doubt, change your password. Changing your password while the site is still vulnerable probably doesn't hurt, but the new password may leak again, so the change may not help.

Should I avoid sites that are still vulnerable?

Yes

I received an e-mail from a site I use asking me to change my password. Should I do so?

First of all: Don't click on any links in this email. Then go to the website and change your password (even if the e-mail was a fake, it doesn't hurt to change your password as long as you are sure you go to the right site). Use the "lastpass" URL above to check if the site is/was vulnerable.

What else should I do?

Standard "safe computing" practices: use difficult to guess passwords, keep your system up to date, use anti-malware, be cautious with links distributed via e-mail.

And how do I explain the problem that caused all this?

XKCD has a great cartoon explaining it: http://imgs.xkcd.com/comics/heartbleed_explanation.png . The short summary: If an SSL connection is idle, heartbeat messages are used to chck if the other side is still listening. For example, the browser sends a message "if you are still alive, reply by sending the 3 letter word 'dog'", and the server replies with "dog". To trigger the bug, the client would send "reply with the 500 letter word 'cow'". Since "cow" only got 3 letters, the server will make up the missing 497 bytes with data from memory, and this data may contain other things the server was working on, like users passwords or private encryption keys.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords:
6 comment(s)
Diary Archives