Okay – figured I better get this one out there. If you have not heard, check out http://heartbleed.com/for some details on it. Basically OpenSSL, again….is broken. For the CVE check out this link. Here’s the important notes:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
I got hacked because of this – Now what???
Get it patched ASAP! Remember to redo your keys ASAP, consider them compromised!
Am I going to get hacked cause I’m running 1.0.1abc(xxxxx)?
If I was a betting man – and you’ve got a public facing device with this on it….I wouldn’t bet against it happening, how about that? Bottom line – get this one patched ASAP – don’t waste time if you can avoid it. If you can’t patch – recompile without the heartbeat -DOPENSSL_NO_HEARTBEATS.
If you can’t do either of the above, make sure that you train your IDS/IPS to monitor for TLS heartbeat monitoring.
I normally don’t jump on this stuff but this is pretty hot and there is no reason to at least not recompile – while there are no known documented cases of exploits, it doesn’t mean it hasn’t happened – it just means no one has admitted it yet.
Stay safe out there kids and remember…