[nSLUG] Nasty zero day vulnerability in openssl CVE-2014-0160
mike at mikedoherty.ca
Tue Apr 8 20:59:35 ADT 2014
If you're vulnerable, recovery requires more than patching. It requires:
- upgrading OpenSSL
- restarting all services linked against OpenSSL
- replacing private keys for any TLS services (You remembered your HTTP
server, but did you remember to update your email server's key? IRC? etc...)
- changing any secondary secrets that might've been compromised, such
as your users' web application passwords (must be done /after/ closing
the heartbleed hole)
Note that CCIRC's bulletin (which is bizarrely listed at the "advisory"
level, rather than the more serious "alert") has utterly deficient at
actually fixing the problem:
You should consider using perfect forward secrecy if you don't already
do so. Without PFS, any traffic over the past 2 years (since the bug was
introduced into OpenSSL) can be decrypted if the private key is
compromised today. With PFS, that's not the case.
On 14-04-08 08:29 PM, D G Teed wrote:
> In case anyone has not heard of it yet, there is a nasty
> vulnerability in openssl requiring immediate patching.
> Read the site for more information.
> As the bug has been out for two years, it is also
> suggested to regenerate SSL keys including the private key.
> nSLUG mailing list
> nSLUG at nslug.ns.ca
More information about the nSLUG