[LACNIC/Seguridad] Fwd: TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)

Carlos Pantelides carlos_pantelides en yahoo.com
Mar Abr 8 21:36:01 BRT 2014 

Hola, 

¿Puede ser que esté muy inflada la noticia? Me ha costado horrores hallar un sitio vulnerable, cerca de uno en cincuenta. 

 
Carlos Pantelides


@dev4sec


http://seguridad-agile.blogspot.com/
On Tuesday, April 8, 2014 7:01 PM, Hector Aguirre <hectoraguirre2006 en gmail.com> wrote:
 
Gracias Fernando.

Aquí tienen una url donde pueden realizar la verificación : http://possible.lv/tools/hb/?domain=

Cordiales saludos.

Héctor A.




2014-04-08 17:42 GMT-03:00 Fernando Gont <fernando en gont.com.ar>:

FYI
>
>
>-------- Original Message --------
>Subject:        TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)
>Date:   Tue, 08 Apr 2014 15:12:40 -0500
>From:   US-CERT <US-CERT en ncas.us-cert.gov>
>Reply-To:       US-CERT en ncas.us-cert.gov
>
>
>
>TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)
>
>NCCIC / US-CERT
>
>National Cyber Awareness System:
>
>TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)
><https://www.us-cert.gov/ncas/alerts/TA14-098A>
>04/08/2014 08:46 AM EDT
>
>Original release date: April 08, 2014
>
>
>      Systems Affected
>
>  * OpenSSL 1.0.1 through 1.0.1f
>  * OpenSSL 1.0.2-beta
>
>
>      Overview
>
>A vulnerability in OpenSSL could allow a remote attacker to expose
>sensitive data, possibly including user authentication credentials and
>secret keys, through incorrect memory handling in the TLS heartbeat
>extension.
>
>
>      Description
>
>OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its
>implementation of the TLS/DTLS heartbeat functionality. This flaw allows
>an attacker to retrieve private memory of an application that uses the
>vulnerable OpenSSL library in chunks of 64k at a time. Note that an
>attacker can repeatedly leverage the vulnerability to retrieve as many
>64k chunks of memory as are necessary to retrieve the intended secrets.
>The sensitive information that may be retrieved using this vulnerability
>include:
>
>  * Primary key material (secret keys)
>  * Secondary key material (user names and passwords used by vulnerable
>    services)
>  * Protected content (sensitive data used by vulnerable services)
>  * Collateral (memory addresses and content that can be leveraged to
>    bypass exploit mitigations)
>
>Exploit code is publicly available for this vulnerability.  Additional
>details may be found in CERT/CC Vulnerability Note VU#720951
><http://www.kb.cert.org/vuls/id/720951>.
>
>
>      Impact
>
>This flaw allows a remote attacker to retrieve private memory of an
>application that uses the vulnerable OpenSSL library in chunks of 64k at
>a time.
>
>
>      Solution
>
>OpenSSL 1.0.1g <http://www.openssl.org/news/secadv_20140407.txt> has
>been released to address this vulnerability.  Any keys generated with a
>vulnerable version of OpenSSL should be considered compromised and
>regenerated and deployed after the patch has been applied.
>
>US-CERT recommends system administrators consider implementing Perfect
>Forward Secrecy <http://en.wikipedia.org/wiki/Perfect_forward_secrecy>
>to mitigate the damage that may be caused by future private key disclosures.
>
>
>      References
>
>  * OpenSSL Security Advisory
>    <http://www.openssl.org/news/secadv_20140407.txt>
>  * The Heartbleed Bug <http://heartbleed.com/>
>  * CERT/CC Vulnerability Note VU#720951
>    <http://www.kb.cert.org/vuls/id/720951>
>  * Perfect Forward Secrecy
>    <http://en.wikipedia.org/wiki/Perfect_forward_secrecy>
>  * RFC2409 Section 8 Perfect Forward Secrecy
>    <http://tools.ietf.org/html/rfc2409#section-8>
>
>
>      Revision History
>
>  * Initial Publication
>
>------------------------------------------------------------------------
>
>This product is provided subject to this Notification
><http://www.us-cert.gov/privacy/notification> and this Privacy & Use
><http://www.us-cert.gov/privacy/> policy.
>
>------------------------------------------------------------------------
>OTHER RESOURCES:
>Contact Us <http://www.us-cert.gov/contact-us/> | Security Publications
><http://www.us-cert.gov/security-publications> | Alerts and Tips
><http://www.us-cert.gov/ncas> | Related Resources
><http://www.us-cert.gov/related-resources>
>
>STAY CONNECTED:
>Sign up for email updates
><http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>
>
>
>--
>Fernando Gont
>e-mail: fernando en gont.com.ar || fgont en si6networks.com
>PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>
>
>_______________________________________________
>Seguridad mailing list
>Seguridad en lacnic.net
>https://mail.lacnic.net/mailman/listinfo/seguridad
>


_______________________________________________
Seguridad mailing list
Seguridad en lacnic.net
https://mail.lacnic.net/mailman/listinfo/seguridad
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/seguridad/attachments/20140408/919b2fb9/attachment.html>

Más información sobre la lista de distribución Seguridad