[svlug] OpenSSL bug strikes back

maestro maestro415 at gmail.com
Fri Jun 6 09:28:17 PDT 2014

Previous message: [svlug] OpenSSL bug strikes back
Next message: [svlug] Booting to different kernel?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks Rick...


Message ends.
________________

On Friday, June 6, 2014, Rick Moen <rick at linuxmafia.com> wrote:
> Remember back in April, when a large portion of the Internet was
> suddenly exposed to a grave bug ('Heartbleed') in the OpenSSL crypto
> libraries?  Back then, it turned out upon examination that most systems
> using OpenSSL ducked the bullet because only the very most recent
> OpenSSL releases (1.0.1 through 1.0.1f) included the buggy and mostly
> pointless feature.
>
> Well, it's a new day, and an... old bug has been discovered.  That is,
> a very grave coding error (CVE-2014-0224) has been discovered that's
> been present in -every- release of OpenSSL since the very beginning -
> all 16 years of releases.
>
> Thursday, a coder named Masashi Kikuchi was working on a project to
> write his own SSL/TLS code, and one of the uncertain parts was a
> protocol spec called ChangeCipherSpec (CCS), whereby an SSL or TLS
> client and server can, at specified times and carefully controlled ways,
> negotiate change from one cipher suite to another.
>
> So, Masashi studied the way OpenSSL implemented CCS - and quickly
> noticed that OpenSSL does it wrong.  OpenSSL doesn't merely accept CCS
> requests at the specified times and carefully controlled ways, but also
> at pretty much any time and any manner - with the consquence that
> attackers can exploit this nonstandard behaviour so that they can
> decrypt and/or modify data in the communication channel.
>
> Which OpenSSL versions, you ask?  As I mentioned above, all of them.
> Every single release of OpenSSL over the past 16 years has had
> exploitably buggy CCS.
>
>
> Reemmber how many sites were quietly relieved that the Heartbleed bug
> didn't affect SSH, only SSL-wrapped HTTP?  No such luck, this time.  I
> see offhand no reason why this bug cannot also be used to attack
> OpenSSH.  (I could be wrong.)
>
> Both server-side and client-side uses of OpenSSL are threatened by this
> bug.
>
>
> The major distros have rushed out new packages already.  You know what
> to do!
>
>
>
> _______________________________________________
> svlug mailing list
> svlug at lists.svlug.org
> http://lists.svlug.org/lists/listinfo/svlug
>

-- 

*~the quieter you become, the more you are able to hear...*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.svlug.org/archives/svlug/attachments/20140606/31b22094/attachment.htm

Previous message: [svlug] OpenSSL bug strikes back
Next message: [svlug] Booting to different kernel?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list