Re: Serious bug in ubiquitous OpenSSL library: "Heartbleed"

["Patrick W. Gilmore" <patrick () ianai net>]

Lots of tools available. I'm with ferg, surprised more haven't been mentioned here.

Tools to check for the bug:
        • on your own box: https://github.com/musalbas/heartbleed-masstest/blob/master/ssltest.py
        • online: http://filippo.io/Heartbleed/ (use carefully as they might log what you check)
        • online: http://possible.lv/tools/hb/
        • offline: https://github.com/tdussa/heartbleed-masstest <--- Tobias Dussa, also Takes a CSV file with host 
names for input and ports as parameter
        • offline: http://s3.jspenguin.org/ssltest.py
        • offline: https://github.com/titanous/heartbleeder

List of vulnerable Linux distributions: <http://www.circl.lu/pub/tr-21/>.

Anyone have any more?

-- 
TTFN,
patrick


On Apr 08, 2014, at 12:11 , Jonathan Lassoff <jof () thejof com> wrote:

> For testing, I've had good luck with
> https://github.com/titanous/heartbleeder and
> https://gist.github.com/takeshixx/10107280
>
> Both are mostly platform-independent, so they should be able to work even
> if you don't have a modern OpenSSL to test with.
>
> Cheers and good luck (you're going to need it),
> jof
>
> On Tue, Apr 8, 2014 at 5:03 PM, Michael Thomas <mike () mtcc com> wrote:
>
> > Just as a data point, I checked the servers I run and it's a good thing I
> > didn't reflexively update them first.
> > On Centos 6.0, the default openssl is 1.0.0 which supposedly doesn't have
> > the vulnerability, but the
> > ones queued up for update do. I assume that redhat will get the patched
> > version soon but be careful!
> >
> > Mike
> >
> >
> > On 04/07/2014 10:06 PM, Paul Ferguson wrote:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA256
> > >
> > > I'm really surprised no one has mentioned this here yet...
> > >
> > > FYI,
> > >
> > > - - ferg
> > >
> > >
> > >
> > > Begin forwarded message:
> > >
> > > From: Rich Kulawiec <rsk () gsp org> Subject: Serious bug in
> > > > ubiquitous OpenSSL library: "Heartbleed" Date: April 7, 2014 at
> > > > 9:27:40 PM EDT
> > > >
> > > > This reaches across many versions of Linux and BSD and, I'd
> > > > presume, into some versions of operating systems based on them.
> > > > OpenSSL is used in web servers, mail servers, VPNs, and many other
> > > > places.
> > > >
> > > > Writeup: Heartbleed: Serious OpenSSL zero day vulnerability
> > > > revealed
> > > > http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-
> > > > revealed-7000028166/
> > > >
> > > >  Technical details: Heartbleed Bug http://heartbleed.com/
> > > >
> > > > OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
> > > > through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
> > > > vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
> > > > NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
> > > - -- Paul Ferguson
> > > VP Threat Intelligence, IID
> > > PGP Public Key ID: 0x54DC85B2
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v2.0.22 (MingW32)
> > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> > >
> > > iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
> > > 3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
> > > =aAzE
> > > -----END PGP SIGNATURE-----

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail