[LACNIC/Seguridad] Fwd: TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)

Hector Aguirre hectoraguirre2006 en gmail.com
Mar Abr 8 19:00:51 BRT 2014 

Gracias Fernando.

Aquí tienen una url donde pueden realizar la verificación :
http://possible.lv/tools/hb/?domain=<http://possible.lv/tools/hb/?domain=www.owasp.org>

Cordiales saludos.

Héctor A.


2014-04-08 17:42 GMT-03:00 Fernando Gont <fernando en gont.com.ar>:

> FYI
>
>
> -------- Original Message --------
> Subject:        TA14-098A: OpenSSL 'Heartbleed' vulnerability
> (CVE-2014-0160)
> Date:   Tue, 08 Apr 2014 15:12:40 -0500
> From:   US-CERT <US-CERT en ncas.us-cert.gov>
> Reply-To:       US-CERT en ncas.us-cert.gov
>
>
>
> TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)
>
> NCCIC / US-CERT
>
> National Cyber Awareness System:
>
> TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)
> <https://www.us-cert.gov/ncas/alerts/TA14-098A>
> 04/08/2014 08:46 AM EDT
>
> Original release date: April 08, 2014
>
>
>       Systems Affected
>
>   * OpenSSL 1.0.1 through 1.0.1f
>   * OpenSSL 1.0.2-beta
>
>
>       Overview
>
> A vulnerability in OpenSSL could allow a remote attacker to expose
> sensitive data, possibly including user authentication credentials and
> secret keys, through incorrect memory handling in the TLS heartbeat
> extension.
>
>
>       Description
>
> OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its
> implementation of the TLS/DTLS heartbeat functionality. This flaw allows
> an attacker to retrieve private memory of an application that uses the
> vulnerable OpenSSL library in chunks of 64k at a time. Note that an
> attacker can repeatedly leverage the vulnerability to retrieve as many
> 64k chunks of memory as are necessary to retrieve the intended secrets.
> The sensitive information that may be retrieved using this vulnerability
> include:
>
>   * Primary key material (secret keys)
>   * Secondary key material (user names and passwords used by vulnerable
>     services)
>   * Protected content (sensitive data used by vulnerable services)
>   * Collateral (memory addresses and content that can be leveraged to
>     bypass exploit mitigations)
>
> Exploit code is publicly available for this vulnerability.  Additional
> details may be found in CERT/CC Vulnerability Note VU#720951
> <http://www.kb.cert.org/vuls/id/720951>.
>
>
>       Impact
>
> This flaw allows a remote attacker to retrieve private memory of an
> application that uses the vulnerable OpenSSL library in chunks of 64k at
> a time.
>
>
>       Solution
>
> OpenSSL 1.0.1g <http://www.openssl.org/news/secadv_20140407.txt> has
> been released to address this vulnerability.  Any keys generated with a
> vulnerable version of OpenSSL should be considered compromised and
> regenerated and deployed after the patch has been applied.
>
> US-CERT recommends system administrators consider implementing Perfect
> Forward Secrecy <http://en.wikipedia.org/wiki/Perfect_forward_secrecy>
> to mitigate the damage that may be caused by future private key
> disclosures.
>
>
>       References
>
>   * OpenSSL Security Advisory
>     <http://www.openssl.org/news/secadv_20140407.txt>
>   * The Heartbleed Bug <http://heartbleed.com/>
>   * CERT/CC Vulnerability Note VU#720951
>     <http://www.kb.cert.org/vuls/id/720951>
>   * Perfect Forward Secrecy
>     <http://en.wikipedia.org/wiki/Perfect_forward_secrecy>
>   * RFC2409 Section 8 Perfect Forward Secrecy
>     <http://tools.ietf.org/html/rfc2409#section-8>
>
>
>       Revision History
>
>   * Initial Publication
>
> ------------------------------------------------------------------------
>
> This product is provided subject to this Notification
> <http://www.us-cert.gov/privacy/notification> and this Privacy & Use
> <http://www.us-cert.gov/privacy/> policy.
>
> ------------------------------------------------------------------------
> OTHER RESOURCES:
> Contact Us <http://www.us-cert.gov/contact-us/> | Security Publications
> <http://www.us-cert.gov/security-publications> | Alerts and Tips
> <http://www.us-cert.gov/ncas> | Related Resources
> <http://www.us-cert.gov/related-resources>
>
> STAY CONNECTED:
> Sign up for email updates
> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>
>
>
> --
> Fernando Gont
> e-mail: fernando en gont.com.ar || fgont en si6networks.com
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>
>
> _______________________________________________
> Seguridad mailing list
> Seguridad en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/seguridad
>
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/seguridad/attachments/20140408/d3ea47ac/attachment.html>

Más información sobre la lista de distribución Seguridad