HeartBleed Vulnerability

It's been quite a while since a vulnerability like this has been uncovered.  There is no doubt that this is a serious one and it affects many products.  What makes this a problem is not only that it has serious consequences, but also that it isn't that hard to exploit.  Affected versions of OpenSSL have also been around for a long time since around April 2012 meaning the impact up to now is unknown.
Recommendations are to patch the affected products, renew certificates and ensure users change their passwords.

OpenSSL versions 1.0.1 - 1.0.2.  OpenSSL advise Affected users should upgrade to
OpenSSL 1.0.1g and users unable to immediately upgrade can opt to recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.  1.0.2 will be fixed in 1.0.2-beta2.

The list below are links to some of the affected products.  There are many more.

VMWare
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225

Fortinet
http://www.fortiguard.com/advisory/FG-IR-14-011

Juniper
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623

Cisco
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

Watchguard
http://watchguardsecuritycenter.com/2014/04/08/the-heartbleed-openssl-vulnerability-patch-openssl-asap

Aruba
http://www.arubanetworks.com/support/alerts/aid-040814.asc

CheckPoint
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100173

RedHat
https://access.redhat.com/security/cve/CVE-2014-0160

F5
http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html

McAfee

https://kc.mcafee.com/corporate/index?page=content&id=SB10071

Symantec
http://www.symantec.com/business/support/index?page=content&id=TECH216558

Ubuntu
http://www.ubuntu.com/usn/usn-2165-1/

FreeBSD
http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc

RedHat
https://access.redhat.com/site/announcements/781953

Comments

  1. Anonymous12 April 2014 at 00:13

    Excellent information. At last, someone that makes sense of the "noise" generated around exploits such as this. Well done. Kawalski

    ReplyDelete

Post a Comment

Popular posts from this blog

configuring the zmodo ZP-IBi-13W camera to work with Blue Iris Software.

Image
Off topic.......configuring the zmodo ZP-IBi-13W camera to work with Blue Iris Software. Many people have had issues getting these cameras to display video in any other sotware except the supplied z-viewer.  Here is how I got it working with the Blue Iris Software.  The settings may work with other software but have not been tested. Pre-Requisites First set the camera up using the instructions with the camera using zviewer and zsight software. You will need to find the cameras wireless ip address.   If possible set this statically by connecting to the cameras IP address using internet explorer.   .. http://ip-of-camera.. .   Note it does not work with Firefox of chrome. Once working you need to install Blue Iris Software on a machine which can contact the cameras.   Usually this will be sitting on the same network but it will work over a router network providing   the required ports are allowed Blue Iris Installation Load up the Blue Iris Software and Add a new camer
Read more

Apple MAC Fake Virus Alert

Similar to the windows fake AV alerts, MAC users have now been targeted with a fake AV scam. After visiting an infected site, the software scans the users hard disk and reports on viruses found. Users are then given the opportunity to purchase remedial AV software, thus parting with credit card information. The trick here is that is can masqurade as the legitimate MAC Defender application making the users less suspicious about the warnings. Apple Mac users have been adviced to disable a setting in the Safari browser that allows "safe" files to be automatically installed. Full details on removing and preventing this malware can be found here. Apple MAC Malware Removal
Read more

Movie Magic

If only hacking was as much fun as it looks in the movies ! I want one of those gizmo`s which can crack any cipher by connecting it to my mobile phone. I also need to practice typing madly into a computer which displays nothing but a load of random heiroglyphics while I consume large quantities of coffee, cookies and coke.....It must be possible cause I saw it in a film...Oh and I need to make sure I can easily be bribed by an attractive busty female who would likely never be interested in me....now that bit could contain an element of fact... Hackers Movie.........Fun Movie, factually a joke...
Read more