[nSLUG] Nasty zero day vulnerability in openssl CVE-2014-0160

Mike Doherty mike at mikedoherty.ca
Tue Apr 8 20:59:35 ADT 2014


If you're vulnerable, recovery requires more than patching. It requires:
 - upgrading OpenSSL
 - restarting all services linked against OpenSSL
 - replacing private keys for any TLS services (You remembered your HTTP
server, but did you remember to update your email server's key? IRC? etc...)
 - changing any secondary secrets that might've been compromised, such
as your users' web application passwords (must be done /after/ closing
the heartbleed hole)

Note that CCIRC's bulletin (which is bizarrely listed at the "advisory"
level, rather than the more serious "alert") has utterly deficient at
actually fixing the problem:
http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2014/av14-017-eng.aspx

You should consider using perfect forward secrecy if you don't already
do so. Without PFS, any traffic over the past 2 years (since the bug was
introduced into OpenSSL) can be decrypted if the private key is
compromised today. With PFS, that's not the case.

-Mike Doherty


On 14-04-08 08:29 PM, D G Teed wrote:
> In case anyone has not heard of it yet, there is a nasty
> vulnerability in openssl requiring immediate patching.
> 
> http://heartbleed.com/
> 
> Read the site for more information.
> 
> As the bug has been out for two years, it is also
> suggested to regenerate SSL keys including the private key.
> 
> 
> 
> 
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/mailman/listinfo/nslug
> 



More information about the nSLUG mailing list