oss-sec mailing list archives
Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160
From: Yves-Alexis Perez <corsac () debian org>
Date: Tue, 8 Apr 2014 22:28:24 +0200
On Tue, Apr 08, 2014 at 02:03:46PM -0600, Kurt Seifried wrote:
So to respond/clear up some points: It appears Codenomicon and Google found the vulnerability independently. Google reported it to OpenSSL. Codenomicon reported it to NCSC-FI, I'm not sure who (Codenomicon or NCSC-FI) drove the notification of CloudFlare/etc. and they also reported it to OpenSSL (I don't know if that was before or after notifying OpenSSL).
Well, as I put in my tentative timeline, and according to Jussi Eronen (from NCSC-FI, afaict) mail in that thread, NCSC-FI only reported to OpenSSL “a couple of hours before the advisory”, so my understand is that NCSC-FI was not aware of the vulnerability last week. Maybe Codenomicon was, though. Jussi, could you confirm that?
1) Mark J. Cox did not give Red Hat any advanced warning, he strongly separates what he does with OpenSSL with what he does with Red Hat (this is quite common at Red Hat, for example we have a guy on the Debian security team, the Samba group, etc.). I for example sometimes issue private CVE's in advance, but they don't get bugs filed/etc until they hit a "public" source like distros@ or oss-security@. 2) Mark informed Red Hat and as you can see from the public time line Huzaifa entered a bug into BZ and then notified distros@ about 14 minutes later, basically at the same time. Red Hat SRT is globally situated so anyone from distros@ emailing us for details would have gotten a very prompt response.
Ok the “Mark notifies^Winforms Red Hat” line and the “Huzaifa Sidhpurwala opens a bug” could actually be merged, they were more or less at the same time.
3) At this point the plan was to embargo this until April 9th (I forget what time), giving everyone 2+ days to deal with it. So OpenSSL in conjunction with Red Hat attempted to do a coordinated response with the community.
I'm also unsure why that could not have been done earlier, when OpenSSL was first notified (by Google, supposedly).
4) Things blew up. My understanding is that OpenSSL made this public due to additional reports, I suspect it boiled down to "Group A found this flaw, reported it, and has a reproducer, and now Group B found the same thing independently and also has a reproducer. chances are the bad guys do as well so better to let everyone know the barn door is open now rather than wait 2 more days" but there may be other factors I'm not aware.
Yeah, maybe the report by NCSC-FI to OpenSSL scared them. I don't know who to contact at OpenSSL and I'm not sure if they read the list.
5) Monday morning: everyone is scrambling to get patches out and update systems.
Actually, all times are UTC. I don't know about others, but Debian security team is mostly in western Europe, so it was monday evening/night.
6) At least one vendor (CloudFlare) posts a blog entry stating they were notified a week ago by Codenomicon/NCSC-FI , and claiming that it was via "responsible disclosure". Other major vendors were not informed (e.g. Amazon: http://aws.amazon.com/security/security-bulletins/heartbleed-bug-concern/).
I don't think they said they were notified by Codenomicon/NCSC-FI (and that doesn't fit the timeline).
7) At least one vendor (Google) found this independently and, as I understand it, patched their own systems (which is completely understandable).
Indeed.
I don't want to point finger, but I sincerely hope the next time something like that happens, coordination will be done early in the processus, and relevant vendors will have a chance to prepare themselvesAs you can see above, it was attempted, but Murphy's law took over.
Sure, thank you for starting that coordination as soon as you were made aware of the vulnerability (and sorry we weren't there monday morning UTC to help you on that). I was more ranting about what happened and did not happened “last week”. Regards, -- Yves-Alexis Perez
Attachment:
signature.asc
Description: Digital signature
Current thread:
- OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Tomas Hoger (Apr 07)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Reed Loden (Apr 07)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Alex Gaynor (Apr 07)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Yves-Alexis Perez (Apr 07)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Marcus Meissner (Apr 07)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Jussi Eronen (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Yves-Alexis Perez (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Kurt Seifried (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Yves-Alexis Perez (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Solar Designer (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Michal Zalewski (Apr 09)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Jussi Eronen (Apr 25)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Reed Loden (Apr 07)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Donald Stufft (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Vincent Danen (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Florian Weimer (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Huzaifa Sidhpurwala (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Yves-Alexis Perez (Apr 09)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Huzaifa Sidhpurwala (Apr 09)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Marcus Meissner (Apr 09)