[BlueOnyx:15118] OpenSSL (CenOS-6.5/SL-6.5) CVE-2014-0160

Michael Stauber mstauber at blueonyx.it
Mon Apr 7 20:21:00 -05 2014 

Hi all,

A critical OpenSSL vulnerability was found in the OpenSSL version that
ships with CentOS-6.5 and SL-6.5. The older OpenSSL-0.9.8 on CentOS-5.10
is not affected:

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

See: https://www.openssl.org/news/secadv_20140407.txt

-------------------

More info on it is available here:

http://heartbleed.com/

The gist of it (and it's pretty bad) is:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
cryptographic software library. [...]

The Heartbleed bug allows anyone on the Internet to read the memory of
the systems protected by the vulnerable versions of the OpenSSL
software. This compromises the secret keys used to identify the service
providers and to encrypt the traffic, the names and passwords of the
users and the actual content. This allows attackers to eavesdrop
communications, steal data directly from the services and users and to
impersonate services and users.

Without any privileged information it's possible to steal the login
credential and secret keys for X.509 certificates and more.

It's pretty much the wet dream of the NSA and anyone else who's up for
mischief.

In my personal opinion it equals the nuclear meltdown as far as SSL is
concerned.

Once fixed OpenSSL RPMs are available, one actually would be well
advised to get new SSL certificates as your private SSL keys have been
leaked during each and any prior SSL connection. Someone might have
caught them and can then use them to decrypt all future SSL sessions.
Unless perfect forwarding secrecy has been used during the captured
session. But it goes beyond that. As long as the vulnerable OpenSSL is
used, the box can be tricked into revealing the contends of its memory
in one 64k memory chunk after another, which might reveal a lot of
sensitive information that goes beyond login data, emails or certificate
information.

Yet it goes further. Pretty much every service that provides encryption
relies on OpenSSL. Think OpenSSH, Apache, Dovecot, Sendmail. The list
goes on.

Let's see how fast this gets patched by upstream.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list