<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:10pt">Hola, <br><br>¿Puede ser que esté muy inflada la noticia? Me ha costado horrores hallar un sitio vulnerable, cerca de uno en cincuenta. <br><br> <div>Carlos Pantelides</div><div><br><br></div><div>@dev4sec</div><br><div><br></div><div>http://seguridad-agile.blogspot.com/</div><div style="display: block;" class="yahoo_quoted"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 10pt;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> On Tuesday, April 8, 2014 7:01 PM, Hector Aguirre <hectoraguirre2006@gmail.com> wrote:<br> </font> </div> <div class="y_msg_container"><div id="yiv2761999001"><div><div
dir="ltr"><div><div>Gracias Fernando.<br clear="none"><br clear="none">Aquí tienen una url donde pueden realizar la verificación : <a rel="nofollow" shape="rect" target="_blank" href="http://possible.lv/tools/hb/?domain=www.owasp.org">http://possible.lv/tools/hb/?domain=</a><br clear="none">
<br clear="none"></div>Cordiales saludos.<br clear="none"><br clear="none"></div>Héctor A.<br clear="none"></div><div class="yiv2761999001gmail_extra"><br clear="none"><br clear="none"><div class="yiv2761999001gmail_quote">2014-04-08 17:42 GMT-03:00 Fernando Gont <span dir="ltr"><<a rel="nofollow" shape="rect" ymailto="mailto:fernando@gont.com.ar" target="_blank" href="mailto:fernando@gont.com.ar">fernando@gont.com.ar</a>></span>:<br clear="none">
<div class="yiv2761999001yqt8318846996" id="yiv2761999001yqt81267"><blockquote class="yiv2761999001gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">FYI<br clear="none">
<br clear="none">
<br clear="none">
-------- Original Message --------<br clear="none">
Subject: TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)<br clear="none">
Date: Tue, 08 Apr 2014 15:12:40 -0500<br clear="none">
From: US-CERT <<a rel="nofollow" shape="rect" ymailto="mailto:US-CERT@ncas.us-cert.gov" target="_blank" href="mailto:US-CERT@ncas.us-cert.gov">US-CERT@ncas.us-cert.gov</a>><br clear="none">
Reply-To: <a rel="nofollow" shape="rect" ymailto="mailto:US-CERT@ncas.us-cert.gov" target="_blank" href="mailto:US-CERT@ncas.us-cert.gov">US-CERT@ncas.us-cert.gov</a><br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)<br clear="none">
<br clear="none">
NCCIC / US-CERT<br clear="none">
<br clear="none">
National Cyber Awareness System:<br clear="none">
<br clear="none">
TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)<br clear="none">
<<a rel="nofollow" shape="rect" target="_blank" href="https://www.us-cert.gov/ncas/alerts/TA14-098A">https://www.us-cert.gov/ncas/alerts/TA14-098A</a>><br clear="none">
04/08/2014 08:46 AM EDT<br clear="none">
<br clear="none">
Original release date: April 08, 2014<br clear="none">
<br clear="none">
<br clear="none">
Systems Affected<br clear="none">
<br clear="none">
* OpenSSL 1.0.1 through 1.0.1f<br clear="none">
* OpenSSL 1.0.2-beta<br clear="none">
<br clear="none">
<br clear="none">
Overview<br clear="none">
<br clear="none">
A vulnerability in OpenSSL could allow a remote attacker to expose<br clear="none">
sensitive data, possibly including user authentication credentials and<br clear="none">
secret keys, through incorrect memory handling in the TLS heartbeat<br clear="none">
extension.<br clear="none">
<br clear="none">
<br clear="none">
Description<br clear="none">
<br clear="none">
OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its<br clear="none">
implementation of the TLS/DTLS heartbeat functionality. This flaw allows<br clear="none">
an attacker to retrieve private memory of an application that uses the<br clear="none">
vulnerable OpenSSL library in chunks of 64k at a time. Note that an<br clear="none">
attacker can repeatedly leverage the vulnerability to retrieve as many<br clear="none">
64k chunks of memory as are necessary to retrieve the intended secrets.<br clear="none">
The sensitive information that may be retrieved using this vulnerability<br clear="none">
include:<br clear="none">
<br clear="none">
* Primary key material (secret keys)<br clear="none">
* Secondary key material (user names and passwords used by vulnerable<br clear="none">
services)<br clear="none">
* Protected content (sensitive data used by vulnerable services)<br clear="none">
* Collateral (memory addresses and content that can be leveraged to<br clear="none">
bypass exploit mitigations)<br clear="none">
<br clear="none">
Exploit code is publicly available for this vulnerability. Additional<br clear="none">
details may be found in CERT/CC Vulnerability Note VU#720951<br clear="none">
<<a rel="nofollow" shape="rect" target="_blank" href="http://www.kb.cert.org/vuls/id/720951">http://www.kb.cert.org/vuls/id/720951</a>>.<br clear="none">
<br clear="none">
<br clear="none">
Impact<br clear="none">
<br clear="none">
This flaw allows a remote attacker to retrieve private memory of an<br clear="none">
application that uses the vulnerable OpenSSL library in chunks of 64k at<br clear="none">
a time.<br clear="none">
<br clear="none">
<br clear="none">
Solution<br clear="none">
<br clear="none">
OpenSSL 1.0.1g <<a rel="nofollow" shape="rect" target="_blank" href="http://www.openssl.org/news/secadv_20140407.txt">http://www.openssl.org/news/secadv_20140407.txt</a>> has<br clear="none">
been released to address this vulnerability. Any keys generated with a<br clear="none">
vulnerable version of OpenSSL should be considered compromised and<br clear="none">
regenerated and deployed after the patch has been applied.<br clear="none">
<br clear="none">
US-CERT recommends system administrators consider implementing Perfect<br clear="none">
Forward Secrecy <<a rel="nofollow" shape="rect" target="_blank" href="http://en.wikipedia.org/wiki/Perfect_forward_secrecy">http://en.wikipedia.org/wiki/Perfect_forward_secrecy</a>><br clear="none">
to mitigate the damage that may be caused by future private key disclosures.<br clear="none">
<br clear="none">
<br clear="none">
References<br clear="none">
<br clear="none">
* OpenSSL Security Advisory<br clear="none">
<<a rel="nofollow" shape="rect" target="_blank" href="http://www.openssl.org/news/secadv_20140407.txt">http://www.openssl.org/news/secadv_20140407.txt</a>><br clear="none">
* The Heartbleed Bug <<a rel="nofollow" shape="rect" target="_blank" href="http://heartbleed.com/">http://heartbleed.com/</a>><br clear="none">
* CERT/CC Vulnerability Note VU#720951<br clear="none">
<<a rel="nofollow" shape="rect" target="_blank" href="http://www.kb.cert.org/vuls/id/720951">http://www.kb.cert.org/vuls/id/720951</a>><br clear="none">
* Perfect Forward Secrecy<br clear="none">
<<a rel="nofollow" shape="rect" target="_blank" href="http://en.wikipedia.org/wiki/Perfect_forward_secrecy">http://en.wikipedia.org/wiki/Perfect_forward_secrecy</a>><br clear="none">
* RFC2409 Section 8 Perfect Forward Secrecy<br clear="none">
<<a rel="nofollow" shape="rect" target="_blank" href="http://tools.ietf.org/html/rfc2409#section-8">http://tools.ietf.org/html/rfc2409#section-8</a>><br clear="none">
<br clear="none">
<br clear="none">
Revision History<br clear="none">
<br clear="none">
* Initial Publication<br clear="none">
<br clear="none">
------------------------------------------------------------------------<br clear="none">
<br clear="none">
This product is provided subject to this Notification<br clear="none">
<<a rel="nofollow" shape="rect" target="_blank" href="http://www.us-cert.gov/privacy/notification">http://www.us-cert.gov/privacy/notification</a>> and this Privacy & Use<br clear="none">
<<a rel="nofollow" shape="rect" target="_blank" href="http://www.us-cert.gov/privacy/">http://www.us-cert.gov/privacy/</a>> policy.<br clear="none">
<br clear="none">
------------------------------------------------------------------------<br clear="none">
OTHER RESOURCES:<br clear="none">
Contact Us <<a rel="nofollow" shape="rect" target="_blank" href="http://www.us-cert.gov/contact-us/">http://www.us-cert.gov/contact-us/</a>> | Security Publications<br clear="none">
<<a rel="nofollow" shape="rect" target="_blank" href="http://www.us-cert.gov/security-publications">http://www.us-cert.gov/security-publications</a>> | Alerts and Tips<br clear="none">
<<a rel="nofollow" shape="rect" target="_blank" href="http://www.us-cert.gov/ncas">http://www.us-cert.gov/ncas</a>> | Related Resources<br clear="none">
<<a rel="nofollow" shape="rect" target="_blank" href="http://www.us-cert.gov/related-resources">http://www.us-cert.gov/related-resources</a>><br clear="none">
<br clear="none">
STAY CONNECTED:<br clear="none">
Sign up for email updates<br clear="none">
<<a rel="nofollow" shape="rect" target="_blank" href="http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new">http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new</a>><br clear="none">
<br clear="none">
<br clear="none">
--<br clear="none">
Fernando Gont<br clear="none">
e-mail: <a rel="nofollow" shape="rect" ymailto="mailto:fernando@gont.com.ar" target="_blank" href="mailto:fernando@gont.com.ar">fernando@gont.com.ar</a> || <a rel="nofollow" shape="rect" ymailto="mailto:fgont@si6networks.com" target="_blank" href="mailto:fgont@si6networks.com">fgont@si6networks.com</a><br clear="none">
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1<br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
_______________________________________________<br clear="none">
Seguridad mailing list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:Seguridad@lacnic.net" target="_blank" href="mailto:Seguridad@lacnic.net">Seguridad@lacnic.net</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://mail.lacnic.net/mailman/listinfo/seguridad">https://mail.lacnic.net/mailman/listinfo/seguridad</a><br clear="none">
</blockquote></div></div><br clear="none"></div></div></div><br><div class="yqt8318846996" id="yqt49320">_______________________________________________<br clear="none">Seguridad mailing list<br clear="none"><a shape="rect" ymailto="mailto:Seguridad@lacnic.net" href="mailto:Seguridad@lacnic.net">Seguridad@lacnic.net</a><br clear="none"><a shape="rect" href="https://mail.lacnic.net/mailman/listinfo/seguridad" target="_blank">https://mail.lacnic.net/mailman/listinfo/seguridad</a></div><br><br></div> </div> </div> </div> </div></body></html>