<div dir="ltr"><div><div>Gracias Fernando.<br><br>Aquí tienen una url donde pueden realizar la verificación : <a href="http://possible.lv/tools/hb/?domain=www.owasp.org" target="_blank">http://possible.lv/tools/hb/?domain=</a><br>
<br></div>Cordiales saludos.<br><br></div>Héctor A.<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-04-08 17:42 GMT-03:00 Fernando Gont <span dir="ltr"><<a href="mailto:fernando@gont.com.ar" target="_blank">fernando@gont.com.ar</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">FYI<br>
<br>
<br>
-------- Original Message --------<br>
Subject: TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)<br>
Date: Tue, 08 Apr 2014 15:12:40 -0500<br>
From: US-CERT <<a href="mailto:US-CERT@ncas.us-cert.gov">US-CERT@ncas.us-cert.gov</a>><br>
Reply-To: <a href="mailto:US-CERT@ncas.us-cert.gov">US-CERT@ncas.us-cert.gov</a><br>
<br>
<br>
<br>
TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)<br>
<br>
NCCIC / US-CERT<br>
<br>
National Cyber Awareness System:<br>
<br>
TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)<br>
<<a href="https://www.us-cert.gov/ncas/alerts/TA14-098A" target="_blank">https://www.us-cert.gov/ncas/alerts/TA14-098A</a>><br>
04/08/2014 08:46 AM EDT<br>
<br>
Original release date: April 08, 2014<br>
<br>
<br>
Systems Affected<br>
<br>
* OpenSSL 1.0.1 through 1.0.1f<br>
* OpenSSL 1.0.2-beta<br>
<br>
<br>
Overview<br>
<br>
A vulnerability in OpenSSL could allow a remote attacker to expose<br>
sensitive data, possibly including user authentication credentials and<br>
secret keys, through incorrect memory handling in the TLS heartbeat<br>
extension.<br>
<br>
<br>
Description<br>
<br>
OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its<br>
implementation of the TLS/DTLS heartbeat functionality. This flaw allows<br>
an attacker to retrieve private memory of an application that uses the<br>
vulnerable OpenSSL library in chunks of 64k at a time. Note that an<br>
attacker can repeatedly leverage the vulnerability to retrieve as many<br>
64k chunks of memory as are necessary to retrieve the intended secrets.<br>
The sensitive information that may be retrieved using this vulnerability<br>
include:<br>
<br>
* Primary key material (secret keys)<br>
* Secondary key material (user names and passwords used by vulnerable<br>
services)<br>
* Protected content (sensitive data used by vulnerable services)<br>
* Collateral (memory addresses and content that can be leveraged to<br>
bypass exploit mitigations)<br>
<br>
Exploit code is publicly available for this vulnerability. Additional<br>
details may be found in CERT/CC Vulnerability Note VU#720951<br>
<<a href="http://www.kb.cert.org/vuls/id/720951" target="_blank">http://www.kb.cert.org/vuls/id/720951</a>>.<br>
<br>
<br>
Impact<br>
<br>
This flaw allows a remote attacker to retrieve private memory of an<br>
application that uses the vulnerable OpenSSL library in chunks of 64k at<br>
a time.<br>
<br>
<br>
Solution<br>
<br>
OpenSSL 1.0.1g <<a href="http://www.openssl.org/news/secadv_20140407.txt" target="_blank">http://www.openssl.org/news/secadv_20140407.txt</a>> has<br>
been released to address this vulnerability. Any keys generated with a<br>
vulnerable version of OpenSSL should be considered compromised and<br>
regenerated and deployed after the patch has been applied.<br>
<br>
US-CERT recommends system administrators consider implementing Perfect<br>
Forward Secrecy <<a href="http://en.wikipedia.org/wiki/Perfect_forward_secrecy" target="_blank">http://en.wikipedia.org/wiki/Perfect_forward_secrecy</a>><br>
to mitigate the damage that may be caused by future private key disclosures.<br>
<br>
<br>
References<br>
<br>
* OpenSSL Security Advisory<br>
<<a href="http://www.openssl.org/news/secadv_20140407.txt" target="_blank">http://www.openssl.org/news/secadv_20140407.txt</a>><br>
* The Heartbleed Bug <<a href="http://heartbleed.com/" target="_blank">http://heartbleed.com/</a>><br>
* CERT/CC Vulnerability Note VU#720951<br>
<<a href="http://www.kb.cert.org/vuls/id/720951" target="_blank">http://www.kb.cert.org/vuls/id/720951</a>><br>
* Perfect Forward Secrecy<br>
<<a href="http://en.wikipedia.org/wiki/Perfect_forward_secrecy" target="_blank">http://en.wikipedia.org/wiki/Perfect_forward_secrecy</a>><br>
* RFC2409 Section 8 Perfect Forward Secrecy<br>
<<a href="http://tools.ietf.org/html/rfc2409#section-8" target="_blank">http://tools.ietf.org/html/rfc2409#section-8</a>><br>
<br>
<br>
Revision History<br>
<br>
* Initial Publication<br>
<br>
------------------------------------------------------------------------<br>
<br>
This product is provided subject to this Notification<br>
<<a href="http://www.us-cert.gov/privacy/notification" target="_blank">http://www.us-cert.gov/privacy/notification</a>> and this Privacy & Use<br>
<<a href="http://www.us-cert.gov/privacy/" target="_blank">http://www.us-cert.gov/privacy/</a>> policy.<br>
<br>
------------------------------------------------------------------------<br>
OTHER RESOURCES:<br>
Contact Us <<a href="http://www.us-cert.gov/contact-us/" target="_blank">http://www.us-cert.gov/contact-us/</a>> | Security Publications<br>
<<a href="http://www.us-cert.gov/security-publications" target="_blank">http://www.us-cert.gov/security-publications</a>> | Alerts and Tips<br>
<<a href="http://www.us-cert.gov/ncas" target="_blank">http://www.us-cert.gov/ncas</a>> | Related Resources<br>
<<a href="http://www.us-cert.gov/related-resources" target="_blank">http://www.us-cert.gov/related-resources</a>><br>
<br>
STAY CONNECTED:<br>
Sign up for email updates<br>
<<a href="http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new" target="_blank">http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new</a>><br>
<br>
<br>
--<br>
Fernando Gont<br>
e-mail: <a href="mailto:fernando@gont.com.ar">fernando@gont.com.ar</a> || <a href="mailto:fgont@si6networks.com">fgont@si6networks.com</a><br>
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1<br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
Seguridad mailing list<br>
<a href="mailto:Seguridad@lacnic.net">Seguridad@lacnic.net</a><br>
<a href="https://mail.lacnic.net/mailman/listinfo/seguridad" target="_blank">https://mail.lacnic.net/mailman/listinfo/seguridad</a><br>
</blockquote></div><br></div>