Heartbleed - Critical CVE for anyone running SSL enabled services
I just came across heartbleed. It's a painful CVE. Upgrade time If you have software that offers SSL/TLS using OpenSSL. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 https://www.mattslifebytes.com/?p=533 https://www.michael-p-davis.com/using-heartbleed-for-hijacking-user-sessions... Scanning a subset of popular KE sites show that most are not vulnerable thanks to IIS/OWA. However, a few .go.ke and .co.ke SSL sites are leaking website code, cookies and god forbid private keys. Cheers, Laban
This bug is super bad. It's a trivial exercise to modify the given PoC to dump memory of a vulnerable server continuously. You might be able view: - x509 certs, - RSA key material. - Server side code & server side configs, - Browser UA for other visitors - Session IDS for other visitors. On Tue, Apr 8, 2014 at 10:24 PM, Laban Mwangi <lmwangi@gmail.com> wrote:
I just came across heartbleed. It's a painful CVE. Upgrade time If you have software that offers SSL/TLS using OpenSSL.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 https://www.mattslifebytes.com/?p=533
https://www.michael-p-davis.com/using-heartbleed-for-hijacking-user-sessions...
Scanning a subset of popular KE sites show that most are not vulnerable thanks to IIS/OWA. However, a few .go.ke and .co.ke SSL sites are leaking website code, cookies and god forbid private keys.
Cheers, Laban
Using the Chromebleed extension... [image: Inline image 1] On Wed, Apr 9, 2014 at 12:51 AM, Laban Mwangi <lmwangi@gmail.com> wrote:
This bug is super bad. It's a trivial exercise to modify the given PoC to dump memory of a vulnerable server continuously. You might be able view: - x509 certs, - RSA key material. - Server side code & server side configs, - Browser UA for other visitors - Session IDS for other visitors.
On Tue, Apr 8, 2014 at 10:24 PM, Laban Mwangi <lmwangi@gmail.com> wrote:
I just came across heartbleed. It's a painful CVE. Upgrade time If you have software that offers SSL/TLS using OpenSSL.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 https://www.mattslifebytes.com/?p=533
https://www.michael-p-davis.com/using-heartbleed-for-hijacking-user-sessions...
Scanning a subset of popular KE sites show that most are not vulnerable thanks to IIS/OWA. However, a few .go.ke and .co.ke SSL sites are leaking website code, cookies and god forbid private keys.
Cheers, Laban
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
It's worrying most financial institutions too are vulnerable. Very worrying. On Wed, Apr 9, 2014 at 10:32 AM, Haggai Nyang <haggai.nyang@gmail.com>wrote:
Using the Chromebleed extension...
[image: Inline image 1]
On Wed, Apr 9, 2014 at 12:51 AM, Laban Mwangi <lmwangi@gmail.com> wrote:
This bug is super bad. It's a trivial exercise to modify the given PoC to dump memory of a vulnerable server continuously. You might be able view: - x509 certs, - RSA key material. - Server side code & server side configs, - Browser UA for other visitors - Session IDS for other visitors.
On Tue, Apr 8, 2014 at 10:24 PM, Laban Mwangi <lmwangi@gmail.com> wrote:
I just came across heartbleed. It's a painful CVE. Upgrade time If you have software that offers SSL/TLS using OpenSSL.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 https://www.mattslifebytes.com/?p=533
https://www.michael-p-davis.com/using-heartbleed-for-hijacking-user-sessions...
Scanning a subset of popular KE sites show that most are not vulnerable thanks to IIS/OWA. However, a few .go.ke and .co.ke SSL sites are leaking website code, cookies and god forbid private keys.
Cheers, Laban
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Higher education institutes are too. http://filippo.io/Heartbleed On Wed, Apr 9, 2014 at 9:47 AM, ty <tyruskam@gmail.com> wrote:
It's worrying most financial institutions too are vulnerable. Very worrying.
On Wed, Apr 9, 2014 at 10:32 AM, Haggai Nyang <haggai.nyang@gmail.com>wrote:
Using the Chromebleed extension...
[image: Inline image 1]
On Wed, Apr 9, 2014 at 12:51 AM, Laban Mwangi <lmwangi@gmail.com> wrote:
This bug is super bad. It's a trivial exercise to modify the given PoC to dump memory of a vulnerable server continuously. You might be able view: - x509 certs, - RSA key material. - Server side code & server side configs, - Browser UA for other visitors - Session IDS for other visitors.
On Tue, Apr 8, 2014 at 10:24 PM, Laban Mwangi <lmwangi@gmail.com> wrote:
I just came across heartbleed. It's a painful CVE. Upgrade time If you have software that offers SSL/TLS using OpenSSL.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 https://www.mattslifebytes.com/?p=533
https://www.michael-p-davis.com/using-heartbleed-for-hijacking-user-sessions...
Scanning a subset of popular KE sites show that most are not vulnerable thanks to IIS/OWA. However, a few .go.ke and .co.ke SSL sites are leaking website code, cookies and god forbid private keys.
Cheers, Laban
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Confirm if the extension is running on your server if it is run the fix http://rehmann.co/projects/heartbeat/?domain= Sys Admin hats on.
Anyone know the following sysadmins? Please give them a ping. Consolidated bank: http://filippo.io/Heartbleed/#www.consolidated-bank.com president.go.ke uonbi.ac.ke On Wed, Apr 9, 2014 at 11:46 AM, Patrick Kariuki <patrick.kariuki@gmail.com>wrote:
Confirm if the extension is running on your server if it is run the fix
http://rehmann.co/projects/heartbeat/?domain=
Sys Admin hats on. _______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Laban Done, that and Rupu as well. On Wed, Apr 9, 2014 at 3:21 PM, Laban Mwangi <lmwangi@gmail.com> wrote:
Anyone know the following sysadmins? Please give them a ping.
Consolidated bank: http://filippo.io/Heartbleed/#www.consolidated-bank.com president.go.ke uonbi.ac.ke
On Wed, Apr 9, 2014 at 11:46 AM, Patrick Kariuki < patrick.kariuki@gmail.com> wrote:
Confirm if the extension is running on your server if it is run the fix
http://rehmann.co/projects/heartbeat/?domain=
Sys Admin hats on. _______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
So Microsoft being insecure is all really a myth. When's the last time you heard of a security flaw of this magnitude in IIS or Windows Server? On Wed, Apr 9, 2014 at 3:28 PM, ty <tyruskam@gmail.com> wrote:
Laban Done, that and Rupu as well.
On Wed, Apr 9, 2014 at 3:21 PM, Laban Mwangi <lmwangi@gmail.com> wrote:
Anyone know the following sysadmins? Please give them a ping.
Consolidated bank: http://filippo.io/Heartbleed/#www.consolidated-bank.com president.go.ke uonbi.ac.ke
On Wed, Apr 9, 2014 at 11:46 AM, Patrick Kariuki < patrick.kariuki@gmail.com> wrote:
Confirm if the extension is running on your server if it is run the fix
http://rehmann.co/projects/heartbeat/?domain=
Sys Admin hats on. _______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
The problem is bigger than websites, consider telecom providers who run RADIUS with TLS, or those running WiFi with RADIUS+TLS (EAP-TLS,PEAP,EAP-TTLS, etc)...call records, caller identities, user credentials may be more interesting On Wed, Apr 9, 2014 at 5:11 PM, Tech List Kenya <techlistkenya@gmail.com>wrote:
So Microsoft being insecure is all really a myth. When's the last time you heard of a security flaw of this magnitude in IIS or Windows Server?
On Wed, Apr 9, 2014 at 3:28 PM, ty <tyruskam@gmail.com> wrote:
Laban Done, that and Rupu as well.
On Wed, Apr 9, 2014 at 3:21 PM, Laban Mwangi <lmwangi@gmail.com> wrote:
Anyone know the following sysadmins? Please give them a ping.
Consolidated bank: http://filippo.io/Heartbleed/#www.consolidated-bank.com president.go.ke uonbi.ac.ke
On Wed, Apr 9, 2014 at 11:46 AM, Patrick Kariuki < patrick.kariuki@gmail.com> wrote:
Confirm if the extension is running on your server if it is run the fix
http://rehmann.co/projects/heartbeat/?domain=
Sys Admin hats on. _______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
And the reverse is true. A malicious server operator might decide to grab your memory by abusing the heartbeat extension.... Worse, they might DNS poison an ISPs resolver, proxy traffic and grab a lot of Internet banking secrets :/ On Wed, Apr 9, 2014 at 5:23 PM, Kennedy Aseda <samskid5@gmail.com> wrote:
The problem is bigger than websites, consider telecom providers who run RADIUS with TLS, or those running WiFi with RADIUS+TLS (EAP-TLS,PEAP,EAP-TTLS, etc)...call records, caller identities, user credentials may be more interesting
On Wed, Apr 9, 2014 at 5:11 PM, Tech List Kenya <techlistkenya@gmail.com>wrote:
So Microsoft being insecure is all really a myth. When's the last time you heard of a security flaw of this magnitude in IIS or Windows Server?
On Wed, Apr 9, 2014 at 3:28 PM, ty <tyruskam@gmail.com> wrote:
Laban Done, that and Rupu as well.
On Wed, Apr 9, 2014 at 3:21 PM, Laban Mwangi <lmwangi@gmail.com> wrote:
Anyone know the following sysadmins? Please give them a ping.
Consolidated bank: http://filippo.io/Heartbleed/#www.consolidated-bank.com president.go.ke uonbi.ac.ke
On Wed, Apr 9, 2014 at 11:46 AM, Patrick Kariuki < patrick.kariuki@gmail.com> wrote:
Confirm if the extension is running on your server if it is run the fix
http://rehmann.co/projects/heartbeat/?domain=
Sys Admin hats on. _______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Labo, Agreed. However websites, ecommerce and banking portals have probably been patched already due to the publicity being given on vulnerability effect on those platforms. People are however not looking at the bigger picture of other applications depending on OpenSSL and malicious users are going to have a couple of field days On Thu, Apr 10, 2014 at 12:22 AM, Laban Mwangi <lmwangi@gmail.com> wrote:
And the reverse is true. A malicious server operator might decide to grab your memory by abusing the heartbeat extension.... Worse, they might DNS poison an ISPs resolver, proxy traffic and grab a lot of Internet banking secrets :/
On Wed, Apr 9, 2014 at 5:23 PM, Kennedy Aseda <samskid5@gmail.com> wrote:
The problem is bigger than websites, consider telecom providers who run RADIUS with TLS, or those running WiFi with RADIUS+TLS (EAP-TLS,PEAP,EAP-TTLS, etc)...call records, caller identities, user credentials may be more interesting
On Wed, Apr 9, 2014 at 5:11 PM, Tech List Kenya <techlistkenya@gmail.com>wrote:
So Microsoft being insecure is all really a myth. When's the last time you heard of a security flaw of this magnitude in IIS or Windows Server?
On Wed, Apr 9, 2014 at 3:28 PM, ty <tyruskam@gmail.com> wrote:
Laban Done, that and Rupu as well.
On Wed, Apr 9, 2014 at 3:21 PM, Laban Mwangi <lmwangi@gmail.com> wrote:
Anyone know the following sysadmins? Please give them a ping.
Consolidated bank: http://filippo.io/Heartbleed/#www.consolidated-bank.com president.go.ke uonbi.ac.ke
On Wed, Apr 9, 2014 at 11:46 AM, Patrick Kariuki < patrick.kariuki@gmail.com> wrote:
Confirm if the extension is running on your server if it is run the fix
http://rehmann.co/projects/heartbeat/?domain=
Sys Admin hats on. _______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
participants (6)
-
Haggai Nyang -
Kennedy Aseda -
Laban Mwangi -
Patrick Kariuki -
Tech List Kenya -
ty