oss-sec mailing list archives
Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160
From: "Vincent Danen" <vdanen () redhat com>
Date: Tue, 08 Apr 2014 14:33:10 -0600
On 04/08/2014, at 13:37 PM, Yves-Alexis Perez wrote:
On Tue, Apr 08, 2014 at 06:17:57PM +0300, Jussi Eronen wrote:Hello, On 04/08/2014 01:05 AM, Yves-Alexis Perez wrote:On Mon, Apr 07, 2014 at 01:56:27PM -0700, Reed Loden wrote:Was this not coordinated with the distros at all? If not, that seems like major fail on the reporters and NCSC-FI's part. :/There was a mail from Red Hat on monday morning (CEST) with no detail and a CRD to april 9th. It seems OpenSSL advisory came a bit uncoordinated, actually, which (it seems) triggered the release of the heartbeat and cloudfare posts, as well as the Red Hat one here.We reported the issue to OpenSSL a couple of hours before the advisory was published. Our plan was to start notifications to distros and other vendors after discussing with OpenSSL. Codenomicon did mention us as the coordinator in the original text of heartbleed.com, but the current text reflects the situation quite well: """ Who coordinates response to this vulnerability? NCSC-FI took up the task of reaching out to the authors of OpenSSL, software, operating system and appliance vendors, which were potentially affected. However, this vulnerability was found and details released independently by others before this work was completed. Vendors should be notifying their users and service providers. Internet service providers should be notifying their end users where and when potential action is required. """Thanks for the clarification. I suppose nobody knows who are those “others” who released independently? I think it might help to provide a full timeline of this. Here are the bits I know about, feel free to complete the missing bits: Sometimes (when?) : Neel Mehta of Google Security discovers the vulnerability Later (when?) : Google Security notifies OpenSSL Sometimes last week : someones (who? OpenSSL?) notifes CloudFlare (and maybe other vendors)
OpenSSL did not tell CloudFare. It is unclear who did.
Mon, 07 Apr 2014 guess : Mark Cox of OpenSSL (but also working at Red Hat SRT) notifies Red Hat and authorizes them to share details of the vulns Mon, 07 Apr 2014 05:56 : Huzaifa Sidhpurwala (RH) add a bug to Red Hat bugzilla Mon, 07 Apr 2014 06:10 : Huzaifa Sidhpurwala sends a mail to distros list with no details but an offer to request them privately Mon, 07 Apr 2014 ~15:30: NCSC-FI reports issue to OpenSSL Mon, 07 Apr 2014 16:53 : Fix is committed to OpenSSL git (not sure if it was public or private at that point)
At this point it was private.
Mon, 07 Apr 2014 : someone (who?) releases something (what, where?) Mon, 07 Apr 2014 17:27 : OpenSSL releases advisory Mon, 07 Apr 2014 18:00 : CloudFlare posts blog entry Mon, 07 Apr 2014 19:00 : Heartbleed.com is published Wed, 09 Apr 2014 : initial CRD At that point, we (Debian) started some kind of “public situation room” on #debian-security and we tried to build updates ASAP, along with trying to find more info on this (for example, I'm still unsure how easy it really is to find some valuable data in those 64kB of process heap memory). I have to admit the handling of that vulnerability was really not the best disclosure I could find, whatever Cloudfare is thinking about this. It seems that some people where actually knowing about this quite early because of their proximitity with involved projects (Google Security, OpenSSL project, Red Hat Security), which I consider pretty normal. But no effort was apparently made to coordinate something at that point, until crash mode was activated sometimes on april 7th (which might have been the best thing to do if someone noticed it was exploited in the wide, but since we didn't get that kind of information we can only speculate) I don't want to point finger, but I sincerely hope the next time something like that happens, coordination will be done early in the processus, and relevant vendors will have a chance to prepare themselves with a bit more than a two-days warning (or no warning at all). And I do know it's not always easy to identify a relevant group of vendors, but even when it's too late, coordinated disclosure and unique/authoritative information point is really helpful for everyone. Regards, -- Yves-Alexis Perez
-- Vincent Danen / Red Hat Security Response Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160, (continued)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Yves-Alexis Perez (Apr 07)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Marcus Meissner (Apr 07)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Jussi Eronen (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Yves-Alexis Perez (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Kurt Seifried (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Yves-Alexis Perez (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Solar Designer (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Michal Zalewski (Apr 09)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Jussi Eronen (Apr 25)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Yves-Alexis Perez (Apr 07)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Donald Stufft (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Vincent Danen (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Florian Weimer (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Huzaifa Sidhpurwala (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Yves-Alexis Perez (Apr 09)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Huzaifa Sidhpurwala (Apr 09)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Marcus Meissner (Apr 09)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Marc Deslauriers (Apr 09)