Openssl – heartbleed – Z0MG!!!

heartbleedOkay – figured I better get this one out there.  If you have not heard, check out http://heartbleed.com/for some details on it.  Basically OpenSSL, again….is broken.  For the CVE check out this link.  Here’s the important notes:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

I got hacked because of this – Now what???

Get it patched ASAP!  Remember to redo your keys ASAP, consider them compromised!

Am I going to get hacked cause I’m running 1.0.1abc(xxxxx)?

If I was a betting man – and you’ve got a public facing device with this on it….I wouldn’t bet against it happening, how about that?  Bottom line – get this one patched ASAP – don’t waste time if you can avoid it.  If you can’t patch – recompile without the heartbeat -DOPENSSL_NO_HEARTBEATS.

If you can’t do either of the above, make sure that you train your IDS/IPS to monitor for TLS heartbeat monitoring.

I normally don’t jump on this stuff but this is pretty hot and there is no reason to at least not recompile – while there are no known documented cases of exploits, it doesn’t mean it hasn’t happened – it just means no one has admitted it yet.

Stay safe out there kids and remember…

Dont-Panic

About Matthew

I'm the owner of impromptu-it, an IT engineer and enthusiast!
This entry was posted in security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *