
<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:10pt">Hola, <br><br>¿Puede ser que esté muy inflada la noticia? Me ha costado horrores hallar un sitio vulnerable, cerca de uno en cincuenta. <br><br> <div>Carlos Pantelides</div><div><br><br></div><div>@dev4sec</div><br><div><br></div><div>http://seguridad-agile.blogspot.com/</div><div style="display: block;" class="yahoo_quoted"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 10pt;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> On Tuesday, April 8, 2014 7:01 PM, Hector Aguirre <hectoraguirre2006@gmail.com> wrote:<br> </font> </div>  <div class="y_msg_container"><div id="yiv2761999001"><div><div

 dir="ltr"><div><div>Gracias Fernando.<br clear="none"><br clear="none">Aquí tienen una url donde pueden realizar la verificación : <a rel="nofollow" shape="rect" target="_blank" href="http://possible.lv/tools/hb/?domain=www.owasp.org">http://possible.lv/tools/hb/?domain=</a><br clear="none">

<br clear="none"></div>Cordiales saludos.<br clear="none"><br clear="none"></div>Héctor A.<br clear="none"></div><div class="yiv2761999001gmail_extra"><br clear="none"><br clear="none"><div class="yiv2761999001gmail_quote">2014-04-08 17:42 GMT-03:00 Fernando Gont <span dir="ltr"><<a rel="nofollow" shape="rect" ymailto="mailto:fernando@gont.com.ar" target="_blank" href="mailto:fernando@gont.com.ar">fernando@gont.com.ar</a>></span>:<br clear="none">

<div class="yiv2761999001yqt8318846996" id="yiv2761999001yqt81267"><blockquote class="yiv2761999001gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">FYI<br clear="none">

<br clear="none">

<br clear="none">

-------- Original Message --------<br clear="none">

Subject:        TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)<br clear="none">

Date:   Tue, 08 Apr 2014 15:12:40 -0500<br clear="none">

From:   US-CERT <<a rel="nofollow" shape="rect" ymailto="mailto:US-CERT@ncas.us-cert.gov" target="_blank" href="mailto:US-CERT@ncas.us-cert.gov">US-CERT@ncas.us-cert.gov</a>><br clear="none">

Reply-To:       <a rel="nofollow" shape="rect" ymailto="mailto:US-CERT@ncas.us-cert.gov" target="_blank" href="mailto:US-CERT@ncas.us-cert.gov">US-CERT@ncas.us-cert.gov</a><br clear="none">

<br clear="none">

<br clear="none">

<br clear="none">

TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)<br clear="none">

<br clear="none">

NCCIC / US-CERT<br clear="none">

<br clear="none">

National Cyber Awareness System:<br clear="none">

<br clear="none">

TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)<br clear="none">

<<a rel="nofollow" shape="rect" target="_blank" href="https://www.us-cert.gov/ncas/alerts/TA14-098A">https://www.us-cert.gov/ncas/alerts/TA14-098A</a>><br clear="none">

04/08/2014 08:46 AM EDT<br clear="none">

<br clear="none">

Original release date: April 08, 2014<br clear="none">

<br clear="none">

<br clear="none">

      Systems Affected<br clear="none">

<br clear="none">

  * OpenSSL 1.0.1 through 1.0.1f<br clear="none">

  * OpenSSL 1.0.2-beta<br clear="none">

<br clear="none">

<br clear="none">

      Overview<br clear="none">

<br clear="none">

A vulnerability in OpenSSL could allow a remote attacker to expose<br clear="none">

sensitive data, possibly including user authentication credentials and<br clear="none">

secret keys, through incorrect memory handling in the TLS heartbeat<br clear="none">

extension.<br clear="none">

<br clear="none">

<br clear="none">

      Description<br clear="none">

<br clear="none">

OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its<br clear="none">

implementation of the TLS/DTLS heartbeat functionality. This flaw allows<br clear="none">

an attacker to retrieve private memory of an application that uses the<br clear="none">

vulnerable OpenSSL library in chunks of 64k at a time. Note that an<br clear="none">

attacker can repeatedly leverage the vulnerability to retrieve as many<br clear="none">

64k chunks of memory as are necessary to retrieve the intended secrets.<br clear="none">

The sensitive information that may be retrieved using this vulnerability<br clear="none">

include:<br clear="none">

<br clear="none">

  * Primary key material (secret keys)<br clear="none">

  * Secondary key material (user names and passwords used by vulnerable<br clear="none">

    services)<br clear="none">

  * Protected content (sensitive data used by vulnerable services)<br clear="none">

  * Collateral (memory addresses and content that can be leveraged to<br clear="none">

    bypass exploit mitigations)<br clear="none">

<br clear="none">

Exploit code is publicly available for this vulnerability.  Additional<br clear="none">

details may be found in CERT/CC Vulnerability Note VU#720951<br clear="none">

<<a rel="nofollow" shape="rect" target="_blank" href="http://www.kb.cert.org/vuls/id/720951">http://www.kb.cert.org/vuls/id/720951</a>>.<br clear="none">

<br clear="none">

<br clear="none">

      Impact<br clear="none">

<br clear="none">

This flaw allows a remote attacker to retrieve private memory of an<br clear="none">

application that uses the vulnerable OpenSSL library in chunks of 64k at<br clear="none">

a time.<br clear="none">

<br clear="none">

<br clear="none">

      Solution<br clear="none">

<br clear="none">

OpenSSL 1.0.1g <<a rel="nofollow" shape="rect" target="_blank" href="http://www.openssl.org/news/secadv_20140407.txt">http://www.openssl.org/news/secadv_20140407.txt</a>> has<br clear="none">

been released to address this vulnerability.  Any keys generated with a<br clear="none">

vulnerable version of OpenSSL should be considered compromised and<br clear="none">

regenerated and deployed after the patch has been applied.<br clear="none">

<br clear="none">

US-CERT recommends system administrators consider implementing Perfect<br clear="none">

Forward Secrecy <<a rel="nofollow" shape="rect" target="_blank" href="http://en.wikipedia.org/wiki/Perfect_forward_secrecy">http://en.wikipedia.org/wiki/Perfect_forward_secrecy</a>><br clear="none">

to mitigate the damage that may be caused by future private key disclosures.<br clear="none">

<br clear="none">

<br clear="none">

      References<br clear="none">

<br clear="none">

  * OpenSSL Security Advisory<br clear="none">

    <<a rel="nofollow" shape="rect" target="_blank" href="http://www.openssl.org/news/secadv_20140407.txt">http://www.openssl.org/news/secadv_20140407.txt</a>><br clear="none">

  * The Heartbleed Bug <<a rel="nofollow" shape="rect" target="_blank" href="http://heartbleed.com/">http://heartbleed.com/</a>><br clear="none">

  * CERT/CC Vulnerability Note VU#720951<br clear="none">

    <<a rel="nofollow" shape="rect" target="_blank" href="http://www.kb.cert.org/vuls/id/720951">http://www.kb.cert.org/vuls/id/720951</a>><br clear="none">

  * Perfect Forward Secrecy<br clear="none">

    <<a rel="nofollow" shape="rect" target="_blank" href="http://en.wikipedia.org/wiki/Perfect_forward_secrecy">http://en.wikipedia.org/wiki/Perfect_forward_secrecy</a>><br clear="none">

  * RFC2409 Section 8 Perfect Forward Secrecy<br clear="none">

    <<a rel="nofollow" shape="rect" target="_blank" href="http://tools.ietf.org/html/rfc2409#section-8">http://tools.ietf.org/html/rfc2409#section-8</a>><br clear="none">

<br clear="none">

<br clear="none">

      Revision History<br clear="none">

<br clear="none">

  * Initial Publication<br clear="none">

<br clear="none">

------------------------------------------------------------------------<br clear="none">

<br clear="none">

This product is provided subject to this Notification<br clear="none">

<<a rel="nofollow" shape="rect" target="_blank" href="http://www.us-cert.gov/privacy/notification">http://www.us-cert.gov/privacy/notification</a>> and this Privacy & Use<br clear="none">

<<a rel="nofollow" shape="rect" target="_blank" href="http://www.us-cert.gov/privacy/">http://www.us-cert.gov/privacy/</a>> policy.<br clear="none">

<br clear="none">

------------------------------------------------------------------------<br clear="none">

OTHER RESOURCES:<br clear="none">

Contact Us <<a rel="nofollow" shape="rect" target="_blank" href="http://www.us-cert.gov/contact-us/">http://www.us-cert.gov/contact-us/</a>> | Security Publications<br clear="none">

<<a rel="nofollow" shape="rect" target="_blank" href="http://www.us-cert.gov/security-publications">http://www.us-cert.gov/security-publications</a>> | Alerts and Tips<br clear="none">

<<a rel="nofollow" shape="rect" target="_blank" href="http://www.us-cert.gov/ncas">http://www.us-cert.gov/ncas</a>> | Related Resources<br clear="none">

<<a rel="nofollow" shape="rect" target="_blank" href="http://www.us-cert.gov/related-resources">http://www.us-cert.gov/related-resources</a>><br clear="none">

<br clear="none">

STAY CONNECTED:<br clear="none">

Sign up for email updates<br clear="none">

<<a rel="nofollow" shape="rect" target="_blank" href="http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new">http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new</a>><br clear="none">

<br clear="none">

<br clear="none">

--<br clear="none">

Fernando Gont<br clear="none">

e-mail: <a rel="nofollow" shape="rect" ymailto="mailto:fernando@gont.com.ar" target="_blank" href="mailto:fernando@gont.com.ar">fernando@gont.com.ar</a> || <a rel="nofollow" shape="rect" ymailto="mailto:fgont@si6networks.com" target="_blank" href="mailto:fgont@si6networks.com">fgont@si6networks.com</a><br clear="none">

PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1<br clear="none">

<br clear="none">

<br clear="none">

<br clear="none">

<br clear="none">

<br clear="none">

_______________________________________________<br clear="none">

Seguridad mailing list<br clear="none">

<a rel="nofollow" shape="rect" ymailto="mailto:Seguridad@lacnic.net" target="_blank" href="mailto:Seguridad@lacnic.net">Seguridad@lacnic.net</a><br clear="none">

<a rel="nofollow" shape="rect" target="_blank" href="https://mail.lacnic.net/mailman/listinfo/seguridad">https://mail.lacnic.net/mailman/listinfo/seguridad</a><br clear="none">

</blockquote></div></div><br clear="none"></div></div></div><br><div class="yqt8318846996" id="yqt49320">_______________________________________________<br clear="none">Seguridad mailing list<br clear="none"><a shape="rect" ymailto="mailto:Seguridad@lacnic.net" href="mailto:Seguridad@lacnic.net">Seguridad@lacnic.net</a><br clear="none"><a shape="rect" href="https://mail.lacnic.net/mailman/listinfo/seguridad" target="_blank">https://mail.lacnic.net/mailman/listinfo/seguridad</a></div><br><br></div>  </div> </div>  </div> </div></body></html>