Jump to content
vBWarez - Rest In Peace

Heartbleed and vBWarez


Recommended Posts

  • Admin
I would recommend anyone updating their account password, aswell as their emails.

OpenSSL was installed on this server, so just in case something bad happened here aswell, be careful and update stuff !



[quote name='THN']



[LEFT] [CENTER] [URL="http://1.bp.blogspot.com/-3SCoP4FOfiE/U0RKMR7pksI/AAAAAAAAbHo/1YEQztc6eEw/s1600/OpenSSL-Heartbleed-vulnerability-CVE-2014-0160.png"][IMG]http://1.bp.blogspot.com/-3SCoP4FOfiE/U0RKMR7pksI/AAAAAAAAbHo/1YEQztc6eEw/s728/OpenSSL-Heartbleed-vulnerability-CVE-2014-0160.png[/IMG][/URL][/CENTER]
It is advised to those who are running their web server with OpenSSL 1.0.1 through 1.0, then it is significantly important that you update to OpenSSL 1.0.1g immediately or as soon as possible.


As this afternoon, an extremely critical programming flaw in the OpenSSL has been discovered that apparently exposed the cryptographic keys and private data from some of the most important sites and services on the Internet.


The bug was independently discovered by security firm [I][URL="http://www.codenomicon.com/"]Codenomicon[/URL][/I] along with a Google Security engineer. The flaw is in the popular OpenSSL cryptographic software library and its weakness allows cyber criminals to steal the information protected, under normal conditions, by the SSL (Secure Sockets Layer) or TLS (Transport Security Layer) [URL="http://thehackernews.com/search/label/encryption"]encryption[/URL] used to secure the Internet.


OpenSSL is an open-source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions that enable SSL and TLS encryption. Mostly every websites use either SSL or TLS, even the Apache web server that powers almost half of the websites over internet utilizes OpenSSL.

[/LEFT]



[B]HEARTBLEED BUG[/B]
The discoverer of the vulnerability dubbed the bug as ‘[I][URL="http://heartbleed.com/"]Heartbleed bug[/URL][/I]’, as the exploit rests on a bug in the implementation of OpenSSL’s TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520).


This critical bug with code ID[I] CVE-2014-0160[/I], could allows an attacker to expose up to 64kB of memory from the server or a connected client computer running a vulnerable version of OpenSSL software. Specifically, this means that an attacker can steal keys, passwords and other private information remotely.


“[I]We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, usernames and passwords, instant messages, emails and business critical documents and communication[/I].”


The [URL="http://thehackernews.com/search/label/Vulnerability"]vulnerability[/URL] in the OpenSSL’s transport layer security (TSL) protocols’ heartbeat section has been in the wild since March 2012 and is supposed to be even more dangerous than [URL="http://thehackernews.com/2014/02/apples-ssl-vulnerability-may-allowed.html"]Apple’s recent SSL bug[/URL], which outcropped the possibility for man-in-the-middle (MitM) attacks.


As the Heartbleed bug reveals encryption keys that could lead to other compromises, affects past traffic and may affect as much as 66 percent of Internet websites over the internet. 10 out of top 1000 sites are vulnerable to this flaw, including Yahoo Mail, Lastpass and the FBI site. There also is a proof-of-concept exploit for the flaw [URL="https://gist.github.com/takeshixx/10107280"]posted on Github[/URL]. On this [URL="http://filippo.io/Heartbleed/"]website[/URL], you can check if your web server is vulnerable or not.


"[I]Bugs in single software or library come and go and are fixed by new versions,[/I]" the researchers who discovered the vulnerability wrote in a blog post published Monday. "[I]However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously.[/I]"


Fixes for the bug have been released by the researchers. So, who are running the OpenSSL 1.0.1f version may update to [URL="http://www.openssl.org/"]OpenSSL 1.0.1g[/URL]. The users running older version of OpenSSL are safe.
[/quote]
Link to post
Share on other sites
i just add :
if you use cloudflare and are on share hosting don't worry if your hosting not make this upgrade.
cloudflare say :

You're protected from the Heartbleed vulnerability because you have CloudFlare turned on for your website. We fixed the flaw on March 31 for all CloudFlare customers, a week before it was publicly announced.

Heartbleed (CVE-2014-0160, [URL]http://www.openssl.org/[/URL]) is a flaw in OpenSSL, encryption software used by the vast majority of websites to protect sensitive information. This vulnerability in OpenSSL allows an attacker to reveal up to 64KB of memory to a connected client or server. This flaw could expose sensitive data such as passwords or usernames - even when you thought it was encrypted.

NO IMPACT ON CLOUDFLARE SERVICE. Our team has conducted a comprehensive security review to ensure our customers were not impacted. One concern is that an attacker had access to the exploit before March 31 since the flaw was present since December 2011. We've seen no evidence of this, but we're proceeding as if it is a possibility.

PRIVATE KEY DATA. Our security and cryptographic team has been testing the possibility that private SSL key data may have been retrieved. We have been unable to replicate a situation where private SSL key data would leak. We have set up a challenge to see if others can exploit the bug. See more information on our blog:

[URL]http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed[/URL]

but if you have your own server and use cloudflare.it's better you upgrade because we can access directly to your server with the real ip and not the ip of the domain name.(multis domains) Edited by arthur
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...