Jump to content


realmic

Member Since 14 Feb 2014
Offline Last Active 07 Mar 2024 13:09
-----

Topics I've Started

OpenPLi 4 and OpenSSL (CVE-2014-0160) Heartbleed [SECURITY-ALERT!]

9 April 2014 - 19:23

Hello OpenPLi-Developers,


the current OpenPLi 4 image used OpenSSL 1.0.1e per default and now OpenWebIf (https), OpenSSH ,Dropbear(?), OpenVPN, every software uses these ssl libraries are in great danger!

 

I know, that a Linux receiver isn't a high secure server, but I think most users have remote access enabled and we should update OpenSSL to version 1.0.1g asap!

tux@vuduo2:~# openssl version
OpenSSL 1.0.1e 11 Feb 2013


tux@vuduo2:~# opkg list-installed
libssl0.9.8 - 0.9.8x-r15.0
libssl1.0.0 - 1.0.1e-r15.0
openssl - 1.0.1e-r15.0
openssl-conf - 1.0.1e-r15.0

python-pyopenssl - 0.13-r1

 

 

I have collected all important infos plus test tools here:

 

The Heartbleed Bug
http://heartbleed.com

 


OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

SOURCE: https://www.openssl....dv_20140407.txt
https://cve.mitre.or...e=CVE-2014-0160



[Test-Tools]

 

Web: heartbleed test
http://possible.lv/tools/hb/

 

Python-Script: OpenSSL heartbeat PoC with STARTTLS support
https://gist.github....eshixx/10107280

hb-test.py

 


------------------------------------------------------------------------------------

[OpenPLi 4 - OpenWebIf]
tux@vuduo2:~# opkg list-installed
enigma2-plugin-extensions-openwebif - 0.1+git613+19efb31-r7.72

 

 

OpenWebIf and HTTPS is active:

https://vuduo2.local

hb-test.py vuduo2.local

Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 58
 ... received message: type = 22, ver = 0302, length = 483
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
  0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  .@....SC[...r...
..
  3ff0: 0F 03 00 00 10 60 86 02 2E 00 00 00 00 00 00 00  .....`..........

WARNING: server returned more data than it should - server is vulnerable!


[OpenPLi 4 - OpenSSH]
tux@vuduo2:~# ssh -V
OpenSSH_6.4p1, OpenSSL 1.0.1e 11 Feb 2013


[OpenPLi 4 - OpenVPN]
tux@vuduo2:~# opkg list-installed
openvpn - 2.3.2-r0

Info: OpenVPN 2.3.3 Update is available!
https://community.op...ngesInOpenvpn23




Best regards
Michael