Openssl – heartbleed – Z0MG!!!

heartbleedOkay – figured I better get this one out there.  If you have not heard, check out some details on it.  Basically OpenSSL, again….is broken.  For the CVE check out this link.  Here’s the important notes:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

I got hacked because of this – Now what???

Get it patched ASAP!  Remember to redo your keys ASAP, consider them compromised!

Am I going to get hacked cause I’m running 1.0.1abc(xxxxx)?

If I was a betting man – and you’ve got a public facing device with this on it….I wouldn’t bet against it happening, how about that?  Bottom line – get this one patched ASAP – don’t waste time if you can avoid it.  If you can’t patch – recompile without the heartbeat -DOPENSSL_NO_HEARTBEATS.

If you can’t do either of the above, make sure that you train your IDS/IPS to monitor for TLS heartbeat monitoring.

I normally don’t jump on this stuff but this is pretty hot and there is no reason to at least not recompile – while there are no known documented cases of exploits, it doesn’t mean it hasn’t happened – it just means no one has admitted it yet.

Stay safe out there kids and remember…


About Matthew

I'm the owner of impromptu-it, an IT engineer and enthusiast!
This entry was posted in security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.