PSA: Heartbleed SSL Bug (Severe)

Not true, clients can be vulnerable too. Focus has mainly been on how this affects servers because essentially anyone with an internet connection can connect to a public server running http+ssl/tls. However, the affected functions, tls1_process_heartbeat() and dtls1_process_heartbeat(), are used by both clients and servers, so clients are potentially just as vulnerable as servers. A Proof of Concept for an attack by a server on a client can be found here: https://github.com/Lekensteyn/pacemaker

I quote from the above link:

So what does this mean for the average user?

If you run the following operating systems:

OSX/OSX Server + iOS: No need to worry, OSX/OSX Server ships with OpenSSL 0.9.8y, before heartbeat was implemented. Additionally, OpenSSL has never been a part of iOS. You're immune. However, if you manually installed a newer library of OpenSSL as a dependency for other programs (like I did lol), then you're gonna want to patch ASAP.

Windows: You probably won't have to worry (Windows uses SChannel/SSPI) unless individual applications of yours involve TLS through OpenSSL (cygwin, etc...), in which case you will want to patch that ASAP.

Unix-based: You're probably vulnerable. These distros have shipped with a potentially vulnerable OpenSSL version, and will probably need patching:

• Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
• Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
• CentOS 6.5, OpenSSL 1.0.1e-15
• Fedora 18, OpenSSL 1.0.1e-4
• OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
• FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
• NetBSD 5.0.2 (OpenSSL 1.0.1e)
• OpenSUSE 12.2 (OpenSSL 1.0.1c)

If you're running these, you're probably fine unless you've installed the vulnerable package independently, in which case you'll need to patch:

• Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
• SUSE Linux Enterprise Server
• FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
• FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
• FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

If you run the following software:

Mozilla products/Chrome: All use NSS, so probably unaffected.

Anything else that uses TLS, I would check to see what libraries it's using. Better safe than sorry.

Besides all of this, you may want to change your passwords on websites such as Facebook, Gmail, etc... and you will DEFINITELY want to change your password if you use Yahoo, as that site was still vulnerable for at least 8 hours after the disclosure of the attack, and was leaking email/password combinations in plaintext:

The scariest thing about this is we have no idea how long this bug has been exploited for. It's been present for approximately 2 years now, and it was only discovered by two teams who independently discovered and decided to responsibly disclose two weeks ago. Someone could have easily found it, said "Oh that's cool", and never told a soul. Combine that with the fact that it's impossible to retroactively discover if anyone exploited your server in that way (leaves no abnormal log entries), and this whole thing turns into a sysadmin's nightmare.

However, I digress. The point is that while this bug doesn't affect the end user to the extent that it affects servers, you can easily still be vulnerable as an end user, so it's worth investigating to see if you're running anything at all that would possibly use OpenSSL.

Stay Safe,

-Kitties

 

fuck this shit

 

Awesome description, kitties! Also long time no see