Open SSL Alert - June 11 Update HUGE vulnerability

Started by deanwebb, July 09, 2015, 10:10:45 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

deanwebb

July 09, 2015, 10:10:45 AM
https://threatpost.com/openssl-patches-critical-certificate-validation-vulnerability/113703

This is a big one: if you did an 11 June OpenSSL update, you need to take care NOW.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

NetworkGroover

#1
July 09, 2015, 02:07:08 PM
Thanks for the heads up - we started getting queries on this and found out we're not vulnerable.
Engineer by day, DJ by night, family first always

wintermute000

#2
July 10, 2015, 06:55:26 AM
WTF is wrong with openssl.

icecream-guy

#3
July 10, 2015, 07:21:36 AM Last Edit: July 10, 2015, 07:24:44 AM by ristau5741
I think they updated the March OpenSSL vulnerability just for you Dean...
Cisco Identity Services Engine (ISE)    CSCut46056    1.3.x (4-July-2015)
Hopefully you are running 2.0



BTW alot of the software fixes for the June OpenSSL are due late summer into fall.
:professorcat:

My Moral Fibers have been cut.

deanwebb

#4
July 10, 2015, 08:25:13 AM
We're running CounterACT for NAC, but there's a lot of NAC stuff that's equal headaches, no matter what the platform is, because of all the crazy crap that plugs into it.

I want to punch the guy that made it so we can't run full packet captures from an iPhone. Isn't it a crime to not allow a device on the network to run packet captures? Don't they have Rights of Things?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

deanwebb

#6
July 13, 2015, 08:25:22 AM
Can we all just agree that, at this point, OpenSSL is now broker than hell?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Reggle

#7
July 14, 2015, 05:22:56 AM
Quote from: deanwebb on July 13, 2015, 08:25:22 AM
Can we all just agree that, at this point, OpenSSL is now broker than hell?
Agreed. But on the other hand, with the attention the software is getting now, I think it's likely to become the most secure encryption software of 2016.

deanwebb

#8
July 14, 2015, 11:22:44 AM
Quote from: Reggle on July 14, 2015, 05:22:56 AM
Quote from: deanwebb on July 13, 2015, 08:25:22 AM
Can we all just agree that, at this point, OpenSSL is now broker than hell?
Agreed. But on the other hand, with the attention the software is getting now, I think it's likely to become the most secure encryption software of 2016.
Well, that's what we hoped for 2015 with all the OpenSSL bugs from 2014...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

#9
July 14, 2015, 02:09:24 PM
Quote from: deanwebb on July 14, 2015, 11:22:44 AM
Quote from: Reggle on July 14, 2015, 05:22:56 AM
Quote from: deanwebb on July 13, 2015, 08:25:22 AM
Can we all just agree that, at this point, OpenSSL is now broker than hell?
Agreed. But on the other hand, with the attention the software is getting now, I think it's likely to become the most secure encryption software of 2016.
Well, that's what we hoped for 2015 with all the OpenSSL bugs from 2014...

The problem is what are you going to replace it with? Another fork of OpenSSL that will then never be audited, or updated? There are some serious concerns on the opensource model for a critical function like this, but I don't have a solution that is better. It will take people smarter than me to solve that problem.

-Otanx

AnthonyC

#10
July 15, 2015, 11:21:36 AM
Quote from: Otanx on July 14, 2015, 02:09:24 PM
Quote from: deanwebb on July 14, 2015, 11:22:44 AM
Quote from: Reggle on July 14, 2015, 05:22:56 AM
Quote from: deanwebb on July 13, 2015, 08:25:22 AM
Can we all just agree that, at this point, OpenSSL is now broker than hell?
Agreed. But on the other hand, with the attention the software is getting now, I think it's likely to become the most secure encryption software of 2016.
Well, that's what we hoped for 2015 with all the OpenSSL bugs from 2014...

The problem is what are you going to replace it with? Another fork of OpenSSL that will then never be audited, or updated? There are some serious concerns on the opensource model for a critical function like this, but I don't have a solution that is better. It will take people smarter than me to solve that problem.

-Otanx

LibreSSL should be a viable alternative; the developers are from the FreeBSD project and their vulnerability track records look better than OpenSSL.  It is actually the default SSL implementation for FreeBSD since last year.
"It can also be argued that DNA is nothing more than a program designed to preserve itself. Life has become more complex in the overwhelming sea of information. And life, when organized into species, relies upon genes to be its memory system."

wintermute000

#11
July 15, 2015, 05:13:11 PM Last Edit: July 16, 2015, 05:14:59 AM by wintermute000
Apparently the development community on this project is stuffed. I read a long thread  on it


http://arstechnica.com/civis/viewtopic.php?f=2&t=1240611&start=40




Sent from my SM-G920I using Tapatalk

Print
Go Up Pages1
User actions