Serious OpenSSL bug renders websites wide open

Chat about Linux in general
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
fu-sen

Re: Serious OpenSSL bug renders websites wide open

Post by fu-sen »

As other people have already reported it,
In Mint 13 LTS and Mint 16, OpenSSL was already updated under the influence of an Ubuntu revolving dibird.

However, LMDE puts a revolving dibird originally (debian.linuxmint.com),
but update of OpenSSL has not been yet carried out.
In much distribution, update has been already completed. The person concerned should hurry update.
shengchieh

Re: Serious OpenSSL bug renders websites wide open

Post by shengchieh »

One question:

I am using LM XFCE 16 as a desktop, not a server. Do I need to update my system?

Sheng-Chieh
User avatar
bjornmu
Level 3
Level 3
Posts: 189
Joined: Wed Dec 19, 2012 2:50 am
Location: Trondheim, Norway

Re: Serious OpenSSL bug renders websites wide open

Post by bjornmu »

For the average user who's not running any server accessible from outside which is also using SSL, there is no urgent need to upgrade openssl. Nor do you solve any issues by upgrading.
fu-sen

Re: Serious OpenSSL bug renders websites wide open

Post by fu-sen »

I agree that it is necessary to hurry update when a PC performs the server use.
However, the connected case exists by the client use for a long time recently in SSL.
Oneself judges that even this state is high-risk.
fu-sen

Re: Serious OpenSSL bug renders websites wide open

Post by fu-sen »

I confirmed that OpenSSL was updated in debian.linuxmint.com about LMDE.
I classified these details into the other article:

http://forums.linuxmint.com/viewtopic.p ... 14#p845814
mike acker
Level 7
Level 7
Posts: 1517
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Serious OpenSSL bug renders websites wide open

Post by mike acker »

Details of coding error

Summary: ( this is my understanding of the nature of the error )

The attacker (client,-- read "you") -- sends a WRONG LENGTH record to the server. the error record contains a "payload" of 1 byte but states that the payload is 65535 bytes in length. As I understand it OpenSSL is supposed to return the payload to the client -- as the "heartbeat" -- essentially to verify that the communication link has not been mis-directed in any way

As I understand it now, the OpenSSL fails to check for a wrong length record, accepts the 65535 length as correct and sends a 65,538 payload back to the client. the"payload" obviously is not any data the client sent to the server, so what is it?

we used to call this "main storage roulette" -- you don't know what will be found in the data sent -- it's just a memory over-run. a beginner's mistake: an experienced programer never trusts anything that is sent to him to effect program control -- which in this case the bad value for the length of the payload does exactly that.

you do have to trust values posted to you by your own IOS -- but not anything in the input data.

Response:

the response needs to be made by the folks running servers. after they have fixed their OpenSSL package then you should change your password. this would be important for any site dealing with money.

Notes:

I got my OpenSSL fix this morning :D
¡Viva la Resistencia!
User avatar
karlchen
Level 23
Level 23
Posts: 18173
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Serious OpenSSL bug renders websites wide open

Post by karlchen »

Hi, Mike.

Yes, the problem is/was that vulnerable servers can be made to return up to 64k of potentially confidential data. Such data may contain anything including logon credentials in clear text. :shock:
It is also true what some user stated in a previous post:
Updating our client machines to a bugfixed version of openSSL is fine. But it will not make us much safer because we might communicate with servers on the net which are still using a vulnerable openSSL version.
Life on the remains risky.

Cheer,
Karl
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
killer de bug

Re: Serious OpenSSL bug renders websites wide open

Post by killer de bug »

More important Karl, even if all systems are updated, you don't know what was stolen (if anything was stolen)... :wink:
Amazon was reported not to be concerned. But if it was for example, thousand of card number can be out there... :?
User avatar
bjornmu
Level 3
Level 3
Posts: 189
Joined: Wed Dec 19, 2012 2:50 am
Location: Trondheim, Norway

Re: Serious OpenSSL bug renders websites wide open

Post by bjornmu »

Correction: AIUI now, even clients can have some memory stolen if connected to a malicious server. I was worried when I saw I had openssl 1.0.1c on my Mint 14 and not 1.0.1g but then I see it's 1.0.1c-3ubuntu2.7 which has the required patch. :)
moongirl

Re: Serious OpenSSL bug renders websites wide open

Post by moongirl »

Hi there,

I'm a newbie so I'm big time concerned about the heartbleed bug. I noticed I have a pending request to update the openSSL to 1.0.1e-3ubuntu1.2 but it's marked as Level 3.
Is it safe to run this update?!

Thanks!!!
killer de bug

Re: Serious OpenSSL bug renders websites wide open

Post by killer de bug »

Yes it's safe. You can go. :wink:
moongirl

Re: Serious OpenSSL bug renders websites wide open

Post by moongirl »

Thanks so much killer de bug,

Would I need to be worry about any security issue on my Linux Mint 16 or this update should fix the vulnerability to the bug?

And just to be clear, Level 3 updates are then safe?!

Thanks again!!!
killer de bug

Re: Serious OpenSSL bug renders websites wide open

Post by killer de bug »

Level 1 2 3 are safe.

And this fix is enough for you to stop worrying ;)
mike acker
Level 7
Level 7
Posts: 1517
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Serious OpenSSL bug renders websites wide open

Post by mike acker »

The(predictable) response begins
(excerpt)
The sad truth is that open source software — which underpins vast swathes of the net — has a serious sustainability problem.
i don't buy any of their crap. I stand absolutely with the whole OpenSource/Linux concept and project.

so don't take anything I post the wrong way. Heartbleed is a serious slip. but it could have been prevented. If Torvalds was here I'm sure he'd agree with my note regarding allowing user input data to control execution of a program. it's a no-no and it's been a no-no since computers came into general use in the 1960s or roughly thereabouts. how many bugs have been attributed to buffer over-run ?

Early Discovery of Heartbleed
excerpt
Before hanging up, Chartier instructed one of the Finnish engineers to write an exploit code to take advantage of Codenomicon‘s own site. Basically, Chartier wanted to see what, exactly, a hacker could get if they knew about the bug.

“We attacked ourselves,” Chartier says. The results freaked him out. The team realized they were able to access a user’s memory, encryption keys, usernames and passwords—”plus a lot of other stuff that we don’t want to mention,” Chartier says. “We saw how serious it was.”
Last edited by mike acker on Fri Apr 11, 2014 7:52 am, edited 1 time in total.
¡Viva la Resistencia!
eanfrid

Re: Serious OpenSSL bug renders websites wide open

Post by eanfrid »

FUD as usual... What would they say about heavily funded crappy obscure bloated unsecure-by-design proprietary software like... Flash :mrgreen:
mike acker
Level 7
Level 7
Posts: 1517
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Serious OpenSSL bug renders websites wide open

Post by mike acker »

eanfrid wrote:FUD as usual... What would they say about heavily funded crappy obscure bloated unsecure-by-design proprietary software like... Flash :mrgreen:
absolutely

i see this as a rare problem in the OpenSource/Linux venue. unfortunate, but rare. I think OpenSource/Linux does much better than its commercial alternatives.

Adobe/Flash is the worst; it gets patched so often it makes Whac-a-Mole look like a gimmie.
¡Viva la Resistencia!
User avatar
xenopeek
Level 25
Level 25
Posts: 29505
Joined: Wed Jul 06, 2011 3:58 am

Re: Serious OpenSSL bug renders websites wide open

Post by xenopeek »

Through the Linux Foundation's Core Infrastructure Initiative, OpenSSL has just received funding for two full-time developers and the Open Crypto Audit Project will receive funding to conduct a security audit of OpenSSL: http://www.linuxfoundation.org/news-med ... ounces-new
Image
killer de bug

Re: Serious OpenSSL bug renders websites wide open

Post by killer de bug »

This is a really good news. I bet a few security fixes will come in the next month for security breaches we are not aware at the moment :lol:
Adobe

"Adobe believes that open development and open source software are fundamental building blocks for software development," said Dave McAllister, director of open source at Adobe. “The Core Infrastructure Initiative allows us to extend our support through a neutral forum that can prioritize underfunded yet critical projects. We’re excited to be a part of this work.”
This looks so strange when I read it... :shock:
User avatar
xenopeek
Level 25
Level 25
Posts: 29505
Joined: Wed Jul 06, 2011 3:58 am

Re: Serious OpenSSL bug renders websites wide open

Post by xenopeek »

Adobe actively develops open source software (http://html.adobe.com/opensource/). They do a lot more than Flash.
Image
Locked

Return to “Chat about Linux”