Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

OpenSSL Rampage

Published: 2014-04-21
Last Updated: 2014-04-21 13:19:47 UTC
by Daniel Wesemann (Version: 1)
1 comment(s)

OpenSSL, in spite of its name, isn't really a part of the OpenBSD project. But as one of the more positive results of the recent Heartbleed fiasco, the OpenBSD developers, who are known for their focus on readable and secure code, have now started a full-scale review and cleanup of the OpenSSL codebase.

If you are interested in writing secure code in C (not necessarily a contradiction in terms), I recommend you take a look at http://opensslrampage.org/archive/2014/4, where the OpenBSD-OpenSSL diffs and code changes are coming in fast, and are often accompanied by cynical but instructive comments. As one poster put it, "I don't know if I should laugh or cry". The good news though definitely is that the OpenSSL code is being looked at, carefully and expertly, and everyone will be better off for it.

1 comment(s)
ISC StormCast for Monday, April 21st 2014 http://isc.sans.edu/podcastdetail.html?id=3943

Heartbleed hunting

Published: 2014-04-21
Last Updated: 2014-04-21 01:19:25 UTC
by Pedro Bueno (Version: 1)
1 comment(s)

Yes, I know that by now you are really tired of hear and read about Heartbleed. You probably already got all testing scripts and tools and are looking on your network for vulnerable servers. 

I was just playing with the Shodan transformer for Maltego and looking for some specific versions of OpenSSL. The results are not good...

Somethings to keep in mind when checking your network is that the tools may not detect all vulnerable hosts since they may be buggy themselves :)

According some research, one of the first scripts released to test the vulnerability, and that most of people still use to identify vulnerable servers contains some bugs that may not detect correctly the vulnerable servers.

The heartbeat request generated on the proof of concept script is:

18 03 02 00 03 01 40 00 <-- the bold bytes basically tell the server to use TLS 1.1, so if the server only supports TLS 1.0 or TLS 1.2 it won't work. Of course that 1.0 and 1.2 are not widely used, so the chance of you having it on your network is small, but still, there is a chance. 

Early last week, while testing different online and offline tools, I also came across different results, so you may want to use different tools on your check.

Network signatures may also provide additional check to help you identify vulnerable hosts. Again there is a chance of False Positives, but it is worth to provide you with more info on your checks.

Snort signatures and network parses for products like Netwitness can also be very effective to detect not only when an exploit was used against your hosts, but most importantly, when your vulnerable host provided information back (the leaked info). 

Happy hunting to you because the bad guys are already hunting!

--------------------

Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure

Keywords: heartbleed
1 comment(s)
Diary Archives