Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Doug Barton]

On 04/08/2014 10:28 PM, Matt Palmer wrote:

On Wed, Apr 09, 2014 at 12:18:00AM -0500, jamie rishaw wrote:

Here's the only way to keep a system safe from Internet hackers:

http://goo.gl/ZvGrXw  [google images]


/me is disappointed that wasn't a pair of scissors


... or a backhoe

Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Matt Palmer]

On Wed, Apr 09, 2014 at 12:18:00AM -0500, jamie rishaw wrote:
> Here's the only way to keep a system safe from Internet hackers:
> 
> http://goo.gl/ZvGrXw  [google images]

/me is disappointed that wasn't a pair of scissors

- Matt

-- 
Sure, it's possible to write C in an object-oriented way.  But, in practice,
getting an entire team to do that is like telling them to walk along a
straight line painted on the floor, with the lights off.
-- Tess Snider, slug-c...@slug.org.au

Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[jamie rishaw]

Here's the only way to keep a system safe from Internet hackers:

http://goo.gl/ZvGrXw  [google images]

-j

Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[bmanning]

On Tue, Apr 08, 2014 at 11:46:31PM -0400, Rob Seastrom wrote:
> 
> Me  writes:
> 
> > Thanks for the expanded list, I had some of these already. I'm not
> > comfortable in letting some online code that I can't see test my site
> > though.
> 
> If that's true, you might want to consider immediately disconnecting
> your systems from the Internet and never re-connecting them.  After
> all, theres a lot of online unseen code testing your site already
> whether you like it or not.
> 
> -r
> 

Diodes


/bill

Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Rob Seastrom]

Me  writes:

> Thanks for the expanded list, I had some of these already. I'm not
> comfortable in letting some online code that I can't see test my site
> though.

If that's true, you might want to consider immediately disconnecting
your systems from the Internet and never re-connecting them.  After
all, theres a lot of online unseen code testing your site already
whether you like it or not.

-r

Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[bmanning]

On Tue, Apr 08, 2014 at 05:56:45PM -0600, Me wrote:
> 
> On 04/08/2014 10:16 AM, Patrick W. Gilmore wrote:
> >Lots of tools available. I'm with ferg, surprised more haven't been 
> >mentioned here.
> >
> >Tools to check for the bug:
> > • on your own box: 
> > https://github.com/musalbas/heartbleed-masstest/blob/master/ssltest.py
> > • online: http://filippo.io/Heartbleed/ (use carefully as they might 
> > log what you check)
> > • online: http://possible.lv/tools/hb/
> > • offline: https://github.com/tdussa/heartbleed-masstest <--- Tobias 
> > Dussa, also Takes a CSV file with host names for input and ports as 
> > parameter
> > • offline: http://s3.jspenguin.org/ssltest.py
> > • offline: https://github.com/titanous/heartbleeder
> >
> >List of vulnerable Linux distributions: .
> >
> >Anyone have any more?
> >
> Thanks for the expanded list, I had some of these already. I'm not
> comfortable in letting some online code that I can't see test my
> site though.
> 
> --John

or, there is this:   http://git.openssl.org/gitweb/?p=openssl.git

/bill

Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Me]

On 04/08/2014 10:16 AM, Patrick W. Gilmore wrote:

Lots of tools available. I'm with ferg, surprised more haven't been mentioned 
here.

Tools to check for the bug:
• on your own box: 
https://github.com/musalbas/heartbleed-masstest/blob/master/ssltest.py
• online: http://filippo.io/Heartbleed/ (use carefully as they might 
log what you check)
• online: http://possible.lv/tools/hb/
• offline: https://github.com/tdussa/heartbleed-masstest <--- Tobias 
Dussa, also Takes a CSV file with host names for input and ports as parameter
• offline: http://s3.jspenguin.org/ssltest.py
• offline: https://github.com/titanous/heartbleeder

List of vulnerable Linux distributions: .

Anyone have any more?

Thanks for the expanded list, I had some of these already. I'm not 
comfortable in letting some online code that I can't see test my site 
though.


--John

any network folks from github.com here?

[Dave Curado]

Please contact me off list?

Thank you.

Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Alain Hebert]

Hi,

I was wondering why most of my secure services didn't show up as
vulnerable...

-

It do not seems to affect those services that require a valid user
certificate.

aka, in apache 2.2

SSLVerifyClient Require
SSLVerifyDepth 1 (up to 10)

I couldn't find a way to use the HB before satisfying the verify.

I might be wrong.
   
-
Alain Hebertaheb...@pubnix.net   
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443

On 04/08/14 08:18, David Hubbard wrote:
> Don't forget to restart every daemon that was using the old library as
> well, or just reboot.
>
> -Original Message-
> From: Peter Kristolaitis [mailto:alte...@alter3d.ca]
> Sent: Tuesday, April 08, 2014 1:19 AM
> To: nanog@nanog.org
> Subject: Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
>
> Not just run the updates -- all private keys should be changed too, on
> the assumption that they've been compromised already.  THAT is going to
> be the crappy part of this.
>
> - Pete
>
>
> On 4/8/2014 1:13 AM, David Hubbard wrote:
>> RHEL and CentOS both have patches out as of a couple hours ago, so run
>
>> those updates!  CentOS' mirrors do not all have it yet, so if you are
>> updating, make sure you get the
>> 1.0.1e-16.el6_5.7 version and not older.
>>
>> David
>>
>> -Original Message-
>> From: Paul Ferguson [mailto:fergdawgs...@mykolab.com]
>> Sent: Tuesday, April 08, 2014 1:07 AM
>> To: NANOG
>> Subject: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
>>
> I'm really surprised no one has mentioned this here yet...
>
> FYI,
>
> - ferg
>
>
>
> Begin forwarded message:
>
> >>> From: Rich Kulawiec  Subject: Serious bug in ubiquitous
> >>> OpenSSL library: "Heartbleed" Date: April 7, 2014 at 9:27:40 PM EDT
> >>>
> >>> This reaches across many versions of Linux and BSD and, I'd presume,
> >>> into some versions of operating systems based on them.
> >>> OpenSSL is used in web servers, mail servers, VPNs, and many other
> >>> places.
> >>>
> >>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability revealed
> >>> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerabilit
> >>> y
> >>> -revealed-728166/
> >>>
> >>>   Technical details: Heartbleed Bug http://heartbleed.com/
> >>>
> >>> OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
> >>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
> >>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
> >>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
> >>>
>
>>
>>
>>
>>
>
>
>
>
>
>
>

Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Chris Adams]

Once upon a time, Frank Bulk  said:
> If we would front our HTTPS services with a (OpenSSL vulnerable)
> load-balancer that does the SSL work and we just use HTTP to the service,
> will that mitigate information loss that's possible with this exploit?  Or
> will the OpenSSL code on the load-balancer also store or "cache" content?

One of the biggest risks that could be exposed in this particular case
is the SSL private key.  If your front end is handling SSL with OpenSSL,
it'll have the key, and that is vulnerable.

-- 
Chris Adams 

Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Laszlo Hanyecz]

You can still potentially access all the same information since it all goes 
through the load balancer.  Interesting bits of info are things like Cookie: 
headers being sent by clients and sitting in a buffer.  Try one of the testing 
tools mentioned and see if you can see any info from other clients.  It's 
almost like having remote tcpdump on the web server - you can copy down the 
in-memory process image.

-Laszlo


On Apr 8, 2014, at 7:12 PM, "Frank Bulk"  wrote:

> If we would front our HTTPS services with a (OpenSSL vulnerable)
> load-balancer that does the SSL work and we just use HTTP to the service,
> will that mitigate information loss that's possible with this exploit?  Or
> will the OpenSSL code on the load-balancer also store or "cache" content?
> 
> Frank
> 
> -Original Message-
> From: Paul Ferguson [mailto:fergdawgs...@mykolab.com] 
> Sent: Tuesday, April 08, 2014 12:07 AM
> To: NANOG
> Subject: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> I'm really surprised no one has mentioned this here yet...
> 
> FYI,
> 
> - - ferg
> 
> 
> 
> Begin forwarded message:
> 
>> From: Rich Kulawiec  Subject: Serious bug in
>> ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
>> 9:27:40 PM EDT
>> 
>> This reaches across many versions of Linux and BSD and, I'd
>> presume, into some versions of operating systems based on them.
>> OpenSSL is used in web servers, mail servers, VPNs, and many other
>> places.
>> 
>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
>> revealed 
>> 
> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revea
> led-728166/
>> 
>> Technical details: Heartbleed Bug http://heartbleed.com/
>> 
>> OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>> 
> 
> 
> - -- 
> Paul Ferguson
> VP Threat Intelligence, IID
> PGP Public Key ID: 0x54DC85B2
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.22 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
> =aAzE
> -END PGP SIGNATURE-
> 
> 
> 
> 

RE: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Frank Bulk]

If we would front our HTTPS services with a (OpenSSL vulnerable)
load-balancer that does the SSL work and we just use HTTP to the service,
will that mitigate information loss that's possible with this exploit?  Or
will the OpenSSL code on the load-balancer also store or "cache" content?

Frank

-Original Message-
From: Paul Ferguson [mailto:fergdawgs...@mykolab.com] 
Sent: Tuesday, April 08, 2014 12:07 AM
To: NANOG
Subject: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I'm really surprised no one has mentioned this here yet...

FYI,

- - ferg



Begin forwarded message:

> From: Rich Kulawiec  Subject: Serious bug in
> ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
> 9:27:40 PM EDT
> 
> This reaches across many versions of Linux and BSD and, I'd
> presume, into some versions of operating systems based on them.
> OpenSSL is used in web servers, mail servers, VPNs, and many other
> places.
> 
> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
> revealed 
>
http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revea
led-728166/
>
>  Technical details: Heartbleed Bug http://heartbleed.com/
> 
> OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
> 


- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
=aAzE
-END PGP SIGNATURE-

[NANOG-announce] NANOG on THE ROAD - LA - May 20, 2014

[Betty Burke]

The NANOG on the Road series will be coming to Los
Angeleson May 20, 2014.
Hosted by NANOG in partnership with Los Nettos at the USC
campus, the program will include research and education presentations along
with relevant NANOG meeting content.  Topics to include security, IPv6,
research and commercial network differences, along with network tools
discussion.

The meeting will be held at the Radisson Hotel Los Angeles-
Midtown@ USC on
Tuesday, May 20, 2014.   Registration is required, however there
is no fee to attend.  Please visit the NOTR website and register
today
.

The morning will include featured speakers.  Lunch will be provided,
followed by an afternoon of NANOG presentations.  The day will conclude
with a graduate student poster session during the Closing Reception.

Please pass along this information to those who may not be able to attend a
full NANOG meeting, and wish to learn more about NANOG and the topics
discussed.


Sincerely,
Betty on behalf of the NOTR Programming Committee



-- 
Betty Burke
NANOG Executive Director
48377 Fremont Boulevard, Suite 117
Fremont, CA 94538
Tel: +1 510 492 4030
___
NANOG-announce mailing list
nanog-annou...@mailman.nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog-announce

Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Maxim Khitrov]

Here's mine, written in Go:

http://code.google.com/p/mxk/source/browse/go1/tlshb/

To build the binary, install Mercurial, install Go (golang.org), set
GOPATH to some empty directory, then run:

go get code.google.com/p/mxk/go1/tlshb

- Max

On Tue, Apr 8, 2014 at 12:16 PM, Patrick W. Gilmore  wrote:
> Lots of tools available. I'm with ferg, surprised more haven't been mentioned 
> here.
>
> Tools to check for the bug:
> • on your own box: 
> https://github.com/musalbas/heartbleed-masstest/blob/master/ssltest.py
> • online: http://filippo.io/Heartbleed/ (use carefully as they might 
> log what you check)
> • online: http://possible.lv/tools/hb/
> • offline: https://github.com/tdussa/heartbleed-masstest <--- Tobias 
> Dussa, also Takes a CSV file with host names for input and ports as parameter
> • offline: http://s3.jspenguin.org/ssltest.py
> • offline: https://github.com/titanous/heartbleeder
>
> List of vulnerable Linux distributions: .
>
> Anyone have any more?
>
> --
> TTFN,
> patrick
>
>
> On Apr 08, 2014, at 12:11 , Jonathan Lassoff  wrote:
>
>> For testing, I've had good luck with
>> https://github.com/titanous/heartbleeder and
>> https://gist.github.com/takeshixx/10107280
>>
>> Both are mostly platform-independent, so they should be able to work even
>> if you don't have a modern OpenSSL to test with.
>>
>> Cheers and good luck (you're going to need it),
>> jof
>>
>> On Tue, Apr 8, 2014 at 5:03 PM, Michael Thomas  wrote:
>>
>>> Just as a data point, I checked the servers I run and it's a good thing I
>>> didn't reflexively update them first.
>>> On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't have
>>> the vulnerability, but the
>>> ones queued up for update do. I assume that redhat will get the patched
>>> version soon but be careful!
>>>
>>> Mike
>>>
>>>
>>> On 04/07/2014 10:06 PM, Paul Ferguson wrote:
>>>
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 I'm really surprised no one has mentioned this here yet...

 FYI,

 - - ferg



 Begin forwarded message:

 From: Rich Kulawiec  Subject: Serious bug in
> ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
> 9:27:40 PM EDT
>
> This reaches across many versions of Linux and BSD and, I'd
> presume, into some versions of operating systems based on them.
> OpenSSL is used in web servers, mail servers, VPNs, and many other
> places.
>
> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
> revealed
> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-
> revealed-728166/
>
>  Technical details: Heartbleed Bug http://heartbleed.com/
>
> OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>
>
 - -- Paul Ferguson
 VP Threat Intelligence, IID
 PGP Public Key ID: 0x54DC85B2
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2.0.22 (MingW32)
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
 =aAzE
 -END PGP SIGNATURE-

>>>
>>>
>>>
>

web.de security contact

[Ruben Rögels]

Hi,

someone knowing a security contact for web.de, please contact me off list.

Thanks!

Regards,
Ruben

Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Steve Clark]

According to the changelog it cvs is fixed now.

$ rpm -qa|grep openssl
openssl-1.0.1e-16.el6_5.7.x86_64
openssl-devel-1.0.1e-16.el6_5.7.x86_64
Tue Apr  8 12:17:25 EDT 2014
Z643357:~
$ rpm -q --changelog openssl | less
* Mon Apr 07 2014 Tomás( Mráz  1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

On 04/08/2014 12:11 PM, Jonathan Lassoff wrote:

For testing, I've had good luck with
https://github.com/titanous/heartbleeder and
https://gist.github.com/takeshixx/10107280

Both are mostly platform-independent, so they should be able to work even
if you don't have a modern OpenSSL to test with.

Cheers and good luck (you're going to need it),
jof

On Tue, Apr 8, 2014 at 5:03 PM, Michael Thomas  wrote:


Just as a data point, I checked the servers I run and it's a good thing I
didn't reflexively update them first.
On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't have
the vulnerability, but the
ones queued up for update do. I assume that redhat will get the patched
version soon but be careful!

Mike


On 04/07/2014 10:06 PM, Paul Ferguson wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I'm really surprised no one has mentioned this here yet...

FYI,

- - ferg



Begin forwarded message:

  From: Rich Kulawiec  Subject: Serious bug in

ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
9:27:40 PM EDT

This reaches across many versions of Linux and BSD and, I'd
presume, into some versions of operating systems based on them.
OpenSSL is used in web servers, mail servers, VPNs, and many other
places.

Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
revealed
http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-
revealed-728166/

   Technical details: Heartbleed Bug http://heartbleed.com/

OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable



- -- Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
=aAzE
-END PGP SIGNATURE-







--
Stephen Clark
*NetWolves Managed Services, LLC.*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com

Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Patrick W. Gilmore]

Lots of tools available. I'm with ferg, surprised more haven't been mentioned 
here.

Tools to check for the bug:
• on your own box: 
https://github.com/musalbas/heartbleed-masstest/blob/master/ssltest.py
• online: http://filippo.io/Heartbleed/ (use carefully as they might 
log what you check)
• online: http://possible.lv/tools/hb/
• offline: https://github.com/tdussa/heartbleed-masstest <--- Tobias 
Dussa, also Takes a CSV file with host names for input and ports as parameter
• offline: http://s3.jspenguin.org/ssltest.py
• offline: https://github.com/titanous/heartbleeder

List of vulnerable Linux distributions: .

Anyone have any more?

-- 
TTFN,
patrick


On Apr 08, 2014, at 12:11 , Jonathan Lassoff  wrote:

> For testing, I've had good luck with
> https://github.com/titanous/heartbleeder and
> https://gist.github.com/takeshixx/10107280
> 
> Both are mostly platform-independent, so they should be able to work even
> if you don't have a modern OpenSSL to test with.
> 
> Cheers and good luck (you're going to need it),
> jof
> 
> On Tue, Apr 8, 2014 at 5:03 PM, Michael Thomas  wrote:
> 
>> Just as a data point, I checked the servers I run and it's a good thing I
>> didn't reflexively update them first.
>> On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't have
>> the vulnerability, but the
>> ones queued up for update do. I assume that redhat will get the patched
>> version soon but be careful!
>> 
>> Mike
>> 
>> 
>> On 04/07/2014 10:06 PM, Paul Ferguson wrote:
>> 
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA256
>>> 
>>> I'm really surprised no one has mentioned this here yet...
>>> 
>>> FYI,
>>> 
>>> - - ferg
>>> 
>>> 
>>> 
>>> Begin forwarded message:
>>> 
>>> From: Rich Kulawiec  Subject: Serious bug in
 ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
 9:27:40 PM EDT
 
 This reaches across many versions of Linux and BSD and, I'd
 presume, into some versions of operating systems based on them.
 OpenSSL is used in web servers, mail servers, VPNs, and many other
 places.
 
 Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
 revealed
 http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-
 revealed-728166/
 
  Technical details: Heartbleed Bug http://heartbleed.com/
 
 OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
 vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
 NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
 
 
>>> - -- Paul Ferguson
>>> VP Threat Intelligence, IID
>>> PGP Public Key ID: 0x54DC85B2
>>> -BEGIN PGP SIGNATURE-
>>> Version: GnuPG v2.0.22 (MingW32)
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>> 
>>> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
>>> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
>>> =aAzE
>>> -END PGP SIGNATURE-
>>> 
>> 
>> 
>> 



signature.asc
Description: Message signed with OpenPGP using GPGMail

RE: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[David Hubbard]

1.0.1 was not deployed until RHEL 6.5.  RedHat released patches
for RHEL last night, and CentOS followed suit a few minutes
later.  

-Original Message-
From: Michael Thomas [mailto:m...@mtcc.com] 
Sent: Tuesday, April 08, 2014 12:03 PM
To: nanog@nanog.org
Subject: Re: Fwd: Serious bug in ubiquitous OpenSSL library:
"Heartbleed"

Just as a data point, I checked the servers I run and it's a good thing
I didn't reflexively update them first.
On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't
have the vulnerability, but the ones queued up for update do. I assume
that redhat will get the patched version soon but be careful!

Mike

On 04/07/2014 10:06 PM, Paul Ferguson wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> I'm really surprised no one has mentioned this here yet...
>
> FYI,
>
> - - ferg
>
>
>
> Begin forwarded message:
>
>> From: Rich Kulawiec  Subject: Serious bug in ubiquitous 
>> OpenSSL library: "Heartbleed" Date: April 7, 2014 at 9:27:40 PM EDT
>>
>> This reaches across many versions of Linux and BSD and, I'd presume, 
>> into some versions of operating systems based on them.
>> OpenSSL is used in web servers, mail servers, VPNs, and many other 
>> places.
>>
>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability revealed 
>> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerabilit
>> y-revealed-728166/
>>
>>   Technical details: Heartbleed Bug http://heartbleed.com/
>>
>> OpenSSL versions affected (from link just above):  OpenSSL 1.0.1 
>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT 
>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is 
>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>>
>
> - --
> Paul Ferguson
> VP Threat Intelligence, IID
> PGP Public Key ID: 0x54DC85B2
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.22 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
> =aAzE
> -END PGP SIGNATURE-

Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Jonathan Lassoff]

For testing, I've had good luck with
https://github.com/titanous/heartbleeder and
https://gist.github.com/takeshixx/10107280

Both are mostly platform-independent, so they should be able to work even
if you don't have a modern OpenSSL to test with.

Cheers and good luck (you're going to need it),
jof

On Tue, Apr 8, 2014 at 5:03 PM, Michael Thomas  wrote:

> Just as a data point, I checked the servers I run and it's a good thing I
> didn't reflexively update them first.
> On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't have
> the vulnerability, but the
> ones queued up for update do. I assume that redhat will get the patched
> version soon but be careful!
>
> Mike
>
>
> On 04/07/2014 10:06 PM, Paul Ferguson wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> I'm really surprised no one has mentioned this here yet...
>>
>> FYI,
>>
>> - - ferg
>>
>>
>>
>> Begin forwarded message:
>>
>>  From: Rich Kulawiec  Subject: Serious bug in
>>> ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
>>> 9:27:40 PM EDT
>>>
>>> This reaches across many versions of Linux and BSD and, I'd
>>> presume, into some versions of operating systems based on them.
>>> OpenSSL is used in web servers, mail servers, VPNs, and many other
>>> places.
>>>
>>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
>>> revealed
>>> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-
>>> revealed-728166/
>>>
>>>   Technical details: Heartbleed Bug http://heartbleed.com/
>>>
>>> OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
>>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
>>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
>>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>>>
>>>
>> - -- Paul Ferguson
>> VP Threat Intelligence, IID
>> PGP Public Key ID: 0x54DC85B2
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v2.0.22 (MingW32)
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
>> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
>> =aAzE
>> -END PGP SIGNATURE-
>>
>
>
>

Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Richard Hesse]

The updated CentOS openssl binaries haven't patched the underlying bug, but
they have disabled the heartbeat functionality. By doing so, they've
disabled the attack vector. Once upstream releases a fix, they will
re-enable the heartbeat function with the working patch.

And yes, don't forget to restart any linked services after updating.

-richard


On Tue, Apr 8, 2014 at 9:03 AM, Michael Thomas  wrote:

> Just as a data point, I checked the servers I run and it's a good thing I
> didn't reflexively update them first.
> On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't have
> the vulnerability, but the
> ones queued up for update do. I assume that redhat will get the patched
> version soon but be careful!
>
> Mike
>
>
> On 04/07/2014 10:06 PM, Paul Ferguson wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> I'm really surprised no one has mentioned this here yet...
>>
>> FYI,
>>
>> - - ferg
>>
>>
>>
>> Begin forwarded message:
>>
>>  From: Rich Kulawiec  Subject: Serious bug in
>>> ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
>>> 9:27:40 PM EDT
>>>
>>> This reaches across many versions of Linux and BSD and, I'd
>>> presume, into some versions of operating systems based on them.
>>> OpenSSL is used in web servers, mail servers, VPNs, and many other
>>> places.
>>>
>>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
>>> revealed
>>> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-
>>> revealed-728166/
>>>
>>>   Technical details: Heartbleed Bug http://heartbleed.com/
>>>
>>> OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
>>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
>>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
>>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>>>
>>>
>> - -- Paul Ferguson
>> VP Threat Intelligence, IID
>> PGP Public Key ID: 0x54DC85B2
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v2.0.22 (MingW32)
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
>> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
>> =aAzE
>> -END PGP SIGNATURE-
>>
>
>
>

Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Michael Thomas]

Just as a data point, I checked the servers I run and it's a good thing 
I didn't reflexively update them first.
On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't 
have the vulnerability, but the
ones queued up for update do. I assume that redhat will get the patched 
version soon but be careful!


Mike

On 04/07/2014 10:06 PM, Paul Ferguson wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I'm really surprised no one has mentioned this here yet...

FYI,

- - ferg



Begin forwarded message:


From: Rich Kulawiec  Subject: Serious bug in
ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
9:27:40 PM EDT

This reaches across many versions of Linux and BSD and, I'd
presume, into some versions of operating systems based on them.
OpenSSL is used in web servers, mail servers, VPNs, and many other
places.

Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
revealed
http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-728166/

  Technical details: Heartbleed Bug http://heartbleed.com/

OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable



- -- 
Paul Ferguson

VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
=aAzE
-END PGP SIGNATURE-

Re: BGPMON Alert Questions

[Mark Tinka]

On Tuesday, April 08, 2014 01:20:23 PM Jac Kloots wrote:

> Yes, we don't validate those prefixes cause we filter
> them strict. We know from all our customers which
> prefixes they use so we have prefix-filters placed on
> all their connections.

Good point.

We do both - prefix list + AS_PATH filtering as well as 
origin validation.

At this point, you're likely to lose longer prefixes from 
customers if they forgot to ROA them, but the rationale is 
that if a customer has sufficient clue to ROA their 
aggregate, they can quickly ROA a de-aggregate or fix it in 
case they forgot.

Mark.


signature.asc
Description: This is a digitally signed message part.

Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Rob Seastrom]

Randy Bush  writes:

> you might like (thanks smb, or was it sra)
>
> openssl s_client -connect google\.com:443  -tlsextdebug 2>&1| grep 'server 
> extension "heartbeat" (id=15)' || echo safe

protip: you have to run this from a device that actually is running
1.0.x, i.e. supports the heartbeat extension.  your desktop mac
(running 0.9.8y if you're running mavericks and haven't stomped on it
via ports; homebrew is a keg only install) WILL NOT SUFFICE and will
just sit there quietly until the http server times out (60 seconds in
my case) and then echo "safe" even when you're not.

-r

Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Paul S.]

If you built anything against the vulnerable library (esp static linked 
stuff), you'll need to rebuild those too.


On 4/8/2014 午後 09:18, David Hubbard wrote:

Don't forget to restart every daemon that was using the old library as
well, or just reboot.

-Original Message-
From: Peter Kristolaitis [mailto:alte...@alter3d.ca]
Sent: Tuesday, April 08, 2014 1:19 AM
To: nanog@nanog.org
Subject: Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

Not just run the updates -- all private keys should be changed too, on
the assumption that they've been compromised already.  THAT is going to
be the crappy part of this.

- Pete


On 4/8/2014 1:13 AM, David Hubbard wrote:

RHEL and CentOS both have patches out as of a couple hours ago, so run
those updates!  CentOS' mirrors do not all have it yet, so if you are
updating, make sure you get the
1.0.1e-16.el6_5.7 version and not older.

David

-Original Message-
From: Paul Ferguson [mailto:fergdawgs...@mykolab.com]
Sent: Tuesday, April 08, 2014 1:07 AM
To: NANOG
Subject: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I'm really surprised no one has mentioned this here yet...

FYI,

- - ferg



Begin forwarded message:


From: Rich Kulawiec  Subject: Serious bug in ubiquitous
OpenSSL library: "Heartbleed" Date: April 7, 2014 at 9:27:40 PM EDT

This reaches across many versions of Linux and BSD and, I'd presume,
into some versions of operating systems based on them.
OpenSSL is used in web servers, mail servers, VPNs, and many other
places.

Writeup: Heartbleed: Serious OpenSSL zero day vulnerability revealed
http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerabilit
y
-revealed-728166/

   Technical details: Heartbleed Bug http://heartbleed.com/

OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable


- --
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
=aAzE
-END PGP SIGNATURE-

RE: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[David Hubbard]

Don't forget to restart every daemon that was using the old library as
well, or just reboot. 

-Original Message-
From: Peter Kristolaitis [mailto:alte...@alter3d.ca] 
Sent: Tuesday, April 08, 2014 1:19 AM
To: nanog@nanog.org
Subject: Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

Not just run the updates -- all private keys should be changed too, on
the assumption that they've been compromised already.  THAT is going to
be the crappy part of this.

- Pete


On 4/8/2014 1:13 AM, David Hubbard wrote:
> RHEL and CentOS both have patches out as of a couple hours ago, so run

> those updates!  CentOS' mirrors do not all have it yet, so if you are 
> updating, make sure you get the
> 1.0.1e-16.el6_5.7 version and not older.
>
> David
>
> -Original Message-
> From: Paul Ferguson [mailto:fergdawgs...@mykolab.com]
> Sent: Tuesday, April 08, 2014 1:07 AM
> To: NANOG
> Subject: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> I'm really surprised no one has mentioned this here yet...
>
> FYI,
>
> - - ferg
>
>
>
> Begin forwarded message:
>
>> From: Rich Kulawiec  Subject: Serious bug in ubiquitous 
>> OpenSSL library: "Heartbleed" Date: April 7, 2014 at 9:27:40 PM EDT
>>
>> This reaches across many versions of Linux and BSD and, I'd presume, 
>> into some versions of operating systems based on them.
>> OpenSSL is used in web servers, mail servers, VPNs, and many other 
>> places.
>>
>> Writeup: Heartbleed: Serious OpenSSL zero day vulnerability revealed 
>> http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerabilit
>> y
>> -revealed-728166/
>>
>>   Technical details: Heartbleed Bug http://heartbleed.com/
>>
>> OpenSSL versions affected (from link just above):  OpenSSL 1.0.1 
>> through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT 
>> vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is 
>> NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
>>
>
> - --
> Paul Ferguson
> VP Threat Intelligence, IID
> PGP Public Key ID: 0x54DC85B2
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.22 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
> 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
> =aAzE
> -END PGP SIGNATURE-
>
>
>
>

Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Maxim Khitrov]

On Tue, Apr 8, 2014 at 4:35 AM, Randy Bush  wrote:
>> I'm really surprised no one has mentioned this here yet...
>
> we're all to damned busy updating and generating keys
>
> you might like (thanks smb, or was it sra)
>
> openssl s_client -connect google\.com:443  -tlsextdebug 2>&1| grep 'server 
> extension "heartbeat" (id=15)' || echo safe

That just tells you whether the heartbeat extension is supported.
Google servers are not vulnerable to this attack.

- Max

Re: BGPMON Alert Questions

[Jac Kloots]

Mark,

On Tue, 8 Apr 2014, Mark Tinka wrote:


On Tuesday, April 08, 2014 11:24:07 AM Jac Kloots wrote:


We (SURFnet, AS1103) are in the same position and I wrote
an article about the evaluation we did before deciding
on dropping invalids (https://blog.surfnet.nl/?p=3159)


Sounds great, Jac!

In your report, you mention that you're not validating
customer prefixes. Is this still the case?


Yes, we don't validate those prefixes cause we filter them strict. We know 
from all our customers which prefixes they use so we have prefix-filters 
placed on all their connections.


Jac

--
Jac Kloots
Network Services
SURFnet bv

Re: BGPMON Alert Questions

[Mark Tinka]

On Tuesday, April 08, 2014 11:24:07 AM Jac Kloots wrote:

> We (SURFnet, AS1103) are in the same position and I wrote
> an article about the evaluation we did before deciding
> on dropping invalids (https://blog.surfnet.nl/?p=3159)

Sounds great, Jac!

In your report, you mention that you're not validating 
customer prefixes. Is this still the case?

Mark.


signature.asc
Description: This is a digitally signed message part.

Re: real-world data about fragmentation

[Fernando Gont]

Hi, Joe,

On 04/02/2014 03:14 PM, Joe Abley wrote:
> Is anybody aware of any wide-scale studies that examine the
> probability of fragmentation of datagrams of different sizes?

We're in the process of measuring some (kind of related stuff). If
you're interested in this data, we might be able to provide something
along these lines in 1 month or so...

It seems to be mostly about measuring the MTU to as many destinations as
possible, so to speak...


> For example, I could reasonable expect an IPv4 packet of 576 bytes
> not to be fragmented very often (to choose a size not at random).

Note: there shouldn't be any special magic around this number (usualy
mistakenly interpreted as the minimum IPv6 MTU, but rather being the
minimum IPv4 reassembly buffer size).


> The
> probability of a 10,000 octet IPv4 packet getting fragmented seems
> likely to be 100%, if we're talking about arbitrary paths across the
> Internet.
> 
> What does the curve look like between 576 bytes and 10,000 bytes?
> 
> I might expect exciting curve action around 1500 bytes (because
> ethernet), 1492 (PPPoE), 1480 (GRE), etc. But I'm interested in
> actual data.
> 
> Anybody have any pointers? IPv4 and IPv6 are both interesting.

Probably off-topic, but since you mentioned reliability of IPv6
fragmentation:

*


* 

Thanks!

Cheers,
-- 
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Re: BGPMON Alert Questions

[Jac Kloots]

Hi Mark,

On Thu, 3 Apr 2014, Mark Tinka wrote:


On Thursday, April 03, 2014 02:22:44 AM Randy Bush wrote:


and, btw, how many of those whose prefixes were
mis-originated had registered those prefixes in the
rpki?


It is probably a bit of a hammer at this stage, but we are
in limited deployment of dropping all Invalids using RPKI.

We shall be rolling out, network-wide, in 2014, where all
Invalids are dropped. At this stage, short of a mis-
origination, it's mostly longer prefixes of an aggregate
that are not ROA'd.


Great to hear more people are planning on dropping all Invalids.

We (SURFnet, AS1103) are in the same position and I wrote an article about 
the evaluation we did before deciding on dropping invalids 
(https://blog.surfnet.nl/?p=3159)


I would encourage more people to do a similar analysis and start using a 
RPKI routing policy and start dropping invalids.


Only when people start using RPKI the way it is proposted to 
(http://tools.ietf.org/html/rfc7115)  we _all_ can benefit from this.


Regards,

Jac

--
Jac Kloots
Network Services
SURFnet bv

Re: Fwd: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

[Randy Bush]

> I'm really surprised no one has mentioned this here yet...

we're all to damned busy updating and generating keys

you might like (thanks smb, or was it sra)

openssl s_client -connect google\.com:443  -tlsextdebug 2>&1| grep 'server 
extension "heartbeat" (id=15)' || echo safe

randy, who is almost through