[LACNIC/Seguridad] Fwd: TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)

Fernando Gont fernando en gont.com.ar
Mar Abr 8 17:42:35 BRT 2014 

FYI


-------- Original Message --------
Subject: 	TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)
Date: 	Tue, 08 Apr 2014 15:12:40 -0500
From: 	US-CERT <US-CERT en ncas.us-cert.gov>
Reply-To: 	US-CERT en ncas.us-cert.gov



TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)

NCCIC / US-CERT

National Cyber Awareness System:

TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)
<https://www.us-cert.gov/ncas/alerts/TA14-098A>
04/08/2014 08:46 AM EDT

Original release date: April 08, 2014


      Systems Affected

  * OpenSSL 1.0.1 through 1.0.1f
  * OpenSSL 1.0.2-beta


      Overview

A vulnerability in OpenSSL could allow a remote attacker to expose
sensitive data, possibly including user authentication credentials and
secret keys, through incorrect memory handling in the TLS heartbeat
extension.


      Description

OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its
implementation of the TLS/DTLS heartbeat functionality. This flaw allows
an attacker to retrieve private memory of an application that uses the
vulnerable OpenSSL library in chunks of 64k at a time. Note that an
attacker can repeatedly leverage the vulnerability to retrieve as many
64k chunks of memory as are necessary to retrieve the intended secrets.
The sensitive information that may be retrieved using this vulnerability
include:

  * Primary key material (secret keys)
  * Secondary key material (user names and passwords used by vulnerable
    services)
  * Protected content (sensitive data used by vulnerable services)
  * Collateral (memory addresses and content that can be leveraged to
    bypass exploit mitigations)

Exploit code is publicly available for this vulnerability.  Additional
details may be found in CERT/CC Vulnerability Note VU#720951
<http://www.kb.cert.org/vuls/id/720951>.


      Impact

This flaw allows a remote attacker to retrieve private memory of an
application that uses the vulnerable OpenSSL library in chunks of 64k at
a time.


      Solution

OpenSSL 1.0.1g <http://www.openssl.org/news/secadv_20140407.txt> has
been released to address this vulnerability.  Any keys generated with a
vulnerable version of OpenSSL should be considered compromised and
regenerated and deployed after the patch has been applied.

US-CERT recommends system administrators consider implementing Perfect
Forward Secrecy <http://en.wikipedia.org/wiki/Perfect_forward_secrecy>
to mitigate the damage that may be caused by future private key disclosures.


      References

  * OpenSSL Security Advisory
    <http://www.openssl.org/news/secadv_20140407.txt>
  * The Heartbleed Bug <http://heartbleed.com/>
  * CERT/CC Vulnerability Note VU#720951
    <http://www.kb.cert.org/vuls/id/720951>
  * Perfect Forward Secrecy
    <http://en.wikipedia.org/wiki/Perfect_forward_secrecy>
  * RFC2409 Section 8 Perfect Forward Secrecy
    <http://tools.ietf.org/html/rfc2409#section-8>


      Revision History

  * Initial Publication

------------------------------------------------------------------------

This product is provided subject to this Notification
<http://www.us-cert.gov/privacy/notification> and this Privacy & Use
<http://www.us-cert.gov/privacy/> policy.

------------------------------------------------------------------------
OTHER RESOURCES:
Contact Us <http://www.us-cert.gov/contact-us/> | Security Publications
<http://www.us-cert.gov/security-publications> | Alerts and Tips
<http://www.us-cert.gov/ncas> | Related Resources
<http://www.us-cert.gov/related-resources>

STAY CONNECTED:
Sign up for email updates
<http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>


-- 
Fernando Gont
e-mail: fernando en gont.com.ar || fgont en si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Más información sobre la lista de distribución Seguridad