Slashdot Mirror
OpenSSL Security Vulnerability
SiliconEntity writes "On the heels of multiple OpenSSH vulnerabilities,
the OpenSSL project is now reporting a number of security vulnerabilities of its own. OpenSSL is a standard cryptographic library used in a wide variety of security applications. The new vulnerabilities range from denial-of-service attacks to stack corruption, which imply the possibility of running malicious code. New versions of the software are released today which address the vulnerabilities."
thanks up2date :-)
thank goodness i use windows
we should patch in about a week from now when
the second round of patches come out.
fortunately I'm running something secure like telnet, those OpenSSH bugs never scare me...
The IT section color scheme sucks.
At least we find out when where vulnerable BEFORE the exploits start rolling out. I'm also yet to hear of Linux bringing the net to it's knees when some kid writes an e-mail virus.
Also, it took me less than a minute to patch my webserver. That's good design.
Waited for what, perfection?
In a Real World environment, "pretty safe" is a whole hell of a lot better than nothing. So long as flaws are fixed quickly after being identified, I don't see what the problem is.
If you want *real* security, you need an air gap. Otherwise, quit yer bitchin'.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
I got annoyed at the slashdot comments last time there was security hole in OpenSSH and wrote this page (copy pasted below). I count OpenSSL as insecure software - we need a secure replacement. GNUTLS looks somewhat better, but I don't trust it too much either.
Why is some software more secure than others?
How do you measure software security?
Here's my definition on what is secure software.
Intro
I get really tired of seeing these kinds of comments every time some widely used software has security holes:
While they may be partially true, I think they're also very misleading and disparages the hard work that some secure software authors have done.
Simplicity Is Security
The difference between secure and insecure software is really the coding techniques being used by it's authors. Authors of secure software do everything they can to prevent accidental mistakes from ever happening. Authors of insecure software just fixes the accidental mistakes. There are very few secure software authors.
Auditing insecure software doesn't make it secure. Sendmail is a good example of this. It's been audited countless times by competent people. The simplest mistakes were catched easily long time ago, but a few very difficult to find vulnerabilities were found only recently.
How do secure software authors then avoid the kind of security holes that are difficult to find? By keeping the code simple. The code doesn't get secure by polluting it with tons of security checks. It gets secure by keeping the security checks in as few places as possible.
Auditing secure software is easy. You can just quickly browse through most of the sources without having to stop and look at it carefully. Everything just looks clean, simple and correct. vsftpd is a good example of this.
Sure, it's still possible that secure software has some security holes occationally. It just happens a lot less often (if ever) and usually the problems are less critical. For example none of the security holes in Postfix have lead to arbitrary code execution or being able to read other peoples mails. Denial of Service attacks are nothing compared to them.
(some examples in the web page not included)
4. Due to an error in the SSL/TLS protocol handling, a server will parse a client certificate when one is not specifically requested. This by itself is not strictly speaking a vulnerability but it does mean that *all* SSL/TLS servers that use OpenSSL can be attacked using vulnerabilities 1, 2 and 3 even if they don't enable client authentication.
so i do think that it affects most users.
posted via lynx over openssh! w00t! w00t!
Oh, so that was your box...sorry about that.
Speaking at Defcon 12 - Credit Card Networks Revisted: Pen
I'm getting really sick of hearing...
"Just run Windows Update. It's easy!"
"Just run apt-get It's easy!"
I'd like to quit running updates every 15 seconds or so.
I'd prefer it was right the first time. I'm getting really tired of patching machines all over the place. I'm turning into a patch money. Test, patch, test, patch, test, patch - with an occasional sleep and eat thrown in occasionally.
No matter how easy Windows update is, it still has to get done. If MS does it for you, you'll worry about them breaking stuff. If you have to do it yourself, you worry you'll miss something, or break it yourself. Frankly, that sucks.
Cheers,
Greg
Most distributions do. With redhat you can subscribe to the redhat network, and with debian, its package manager, apt-get has this built in. Both of these however are dependant on the distro maintainers actually putting the new version in, and resolving dependancy issues that might arise.
On the other hand, unlike windows update you don't need to reboot every time you update something like this (the only time you ever need to boot is if you update the kernel).
Anyone got any suggestions where I can find updated rpms for a RH6.2 machine?
Other than compiling from source, that is. Or upgrading to a supported distro! I'm hoping to put off that day!
The real "Libtards" are the Libertarians!
New RPMs and RedHat's security advisory for for 7.1, 7.2, 7.3 and 8.0 can be found here.
> will we see another lazy-admin problem with this (and any) vulnerability in Open Source applications?
Lazy applies to admins, open-source applications, closed-source applications, make-up applications, partners in relationships, oil changes, bill-paying, laundry, dishes, dogs, eyeballs, and any other situation where not taking action is available as an option, which happens to be most situations. No fix for anything is any good if it goes unused.
> what good is an immediate bugfix if the admin isn't applying the patch?
That's rhetorical, I'm guessing.
> does Linux have a similar auto-update feature like in Windows
There are several, but most are not really like Windows. They are usually better. For example, if you run Debian or can use apt for rpm, run apt-get update && apt-get upgrade as a nightly cron job. But the admin still has to initially submit the job, and pick up the pieces when something breaks. Automagic patching can have side effects and certainly perpetuates the "someone else" problem. Besides, I like to watch the progress meter. Makes me feel useful.
Anyway, hire a new admin if the one you have can't be a verb as well as a noun.
If you call your product "open" SSL (or openssh for that matter), and occasionally people will discover it's Exactly What It Says On The Tin.
:)
Well it amused me anyway
pardon my ignorance, does Linux have a similar auto-update feature like in Windows (but with fewer bugs :) ?
No problem, after all no one's born knowing this stuff. :)
It seems most Linux distros have such a feature under various names, but they generally call home (or the nearest mirror site, or wherever you told it to look), and compare the list of updates there against the software installed on your machine. Then it gives you the opportunity to review the relevant updates individually, with explanations about what they fix, on a per-application basis before installing any or all of them as you like. Many distros have a nice GUI app for this.
There are generally no monolothic do-all updates like in Windows-land; you only D/L what you need and if you ever install another package later off CD, you only have to grab the latest update for that one package, the system stays up, no reboots required. Or just install from the web and have the latest to begin with.
I can only speak for Mandrake about bugs, but I've never seen a fatal one on my home box. It doesn't try to think for you much to begin with, it just tells you what your options are and awaits your input, so there's less room for error, more ability to back-out, etc. There have been a couple of instances where it's gotten dependencies wrong, some boolean flag reversed so patch A required that I install patch B, then B required that I NOT install A. This only happened once and it was corrected a few hours later. Aside from that it's been fine.
Hope that helps. Oh, yeah I forgot this is slashdot: RTFM. ;)
Also important is ease of updates for those of us that are semi-diligent.
For example, the two latest RPC patches (blaster and successor) have been mildly annoying to install. Sure, you just run MS's update tool, but I've found that about 20% of machines still read unpatched according to MS's security auditing tool. This makes it kindof a pain to ensure compliance.
After reapplying the patch six or seven times to some machines, our network is safe. That's kindof lame.
Similarly, the patch that would have prevented SQL Slammer was a collossal pain in the ass to install. Fortunately, we don't have any laptop users with SQL Server, so there was no potential infection vector on our network, and we had plenty of time to patch.
Deploying all the different Office VB patches is looking prohibitively difficult to me. It hasn't been exploited yet by a worm, but when it does... shit. I hope our AV is up to the task.
I guess MS Software Update Server is an absolute necessity. No two ways about it. Weird how it doesn't get more discussion.
Almost always, apt-get upgrade is cake. I'm just concerned about those times it breaks. Hopefully it can always be repaired manually. I've definitely run into snags with apt-get that were beyong my ability to repair. It was on a toy machine, so it might have had an unusual configuration, and it wasn't consequential.
Whether we're diligent or not, if patches are difficult enough it barely matters that the patch was released at all, in terms of worldwide impact.
There are no trails. There are no trees out here.
Let's get the Microsoft flamefest started!
Flamebait? More like the truth. Take a look at the rest of the posts in this story, especially the ones modded to 4 and 5. Microsoft flames, all.
Linux allocates physical memory pages on the fly, as you use them. Try this code. It allocates 256 megs on each run until you exit. How many times do you have to run it before it says malloc returns 0? How much more memory than you have (including swap) did it allocate?
This kind of thing happens with stacks as well. Memory on your stack is allocated on the fly as you use it. What happens when the kernel can't allocate a memory page when it is first accessed? It kills the process. hard. This means that user processes can steal resources and cause any number of root processes to die, just because they made a function call that required a larger stack.
This does have many security and dependability implications, as the original poster said. Most people do not know this and do not handle this case!
--jeff++
ipv6 is my vpn
Here is the dirt:
/etc/cron.daily that simply says:
RedHat RHN service:
$60 a year gets you two "entitlements" and they are $60 each afterward. You can change your entitlements to any computer as often as you want. I use one entitlement for just updating fresh installs, for instance. You can easily run a cron job by placing a script in
up2date -p
up2date -u
The -p updates their servers with all the supported packages you have installed(not necessary if you don't install anything or haven't since the last -p) and -u will update automatically. It is super easy and super cheap. There is one other big advantage.
You can NOT run a cron job and do updates from any computer using just a web browser. You log onto rhn.redhat.com then look at your computers. You can install new software, uninstall software, update systems, schedule reboots and more. I have remotely installed more than a few dozen kernel upgrades AND rebooted, with never one failure. I don't recommend remote booting ANY production box unless you like to live dangerously, however. I do tend to live dangerously.
It is highly cool, I have never seen it fail in almost 2 years, and very easy to do. You can opt for email notification if any box *needs* an update for security reasons, or not.
You can also ssh or telnet in and just run "up2date -u" and watch all the pretty # marks go by and update your computer. The download speeds are very good. In addition, you get premium access to download ISOs.
There are ways to keep a linux box updated for free, but the features that come with rhn make it a bargain for many of us. If you are not an uber-geek, or you are but have better things to do, it is a killer service. If you are a total noob, you can still understand and gain alot from it. If you are an OS snob, you will trash it because it is not as L33+ as rolling your own.
If you have to ask, then its a great service for you since it is easy to learn and unreal stable.
Tequila: It's not just for breakfast anymore!
I have cron.daily (the *nix 'task scheduler') do an 'emerge -u world' on one machine, I also have a script in cron.hourly that searches the config directories for changed or new files and reminds me by echoing them from .login file.
/etc/._cfg0000_fstab /etc/conf.d/._cfg0000_hdparm
Basically every time I log in in the morning I get a message like:
# Current files on iceage.doughtyhouse.net that need a looksie:
#
#
#
It's not windowsupdate, but it gets the job done even when I'm on vacation, and I've never had trouble with config files that get TOO out-of-date to still work.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
OpenSSH isn't remotely vulnerable to these attacks. Recent versions don't use the OpenSSL ASN.1 parsing code for signature validation (e.g. signatures coming from the network). The OpenSSL ASN.1 code is only used for parsing private keys.
This was done a little while ago, as Markus (wisely) decided that we didn't need a whole ASN.1 parser just to verify signatures.
Don't let that slow you down patching the issue - Apache and other SSL/TLS apps (OpenLDAP, the various imapd's, etc.) may be vulnerable.
Be advised that complex data dependent protocols are not trivial to code. Not only that, they are even harder to get to interoperate with other implementations of the same protocol. All the nasty little bug-a-boos show up that the protocol designers hadn't thought or even dreamed of.So what's the plan? Toss out all the OpenSSL/GNUtls code and start over...but this time let's try something new... let's make it simple and secure?
What you don't seem to understand, is that people far smarter than you and I have already had these philosophical debates and do you know what they came up with?
No software is completely secure.
Prompt disclosure is important.
More eyes, code review, what have you is a good thing.
Plan for failure/breaches/etc.
Your measure of secure software is juvenile. It doesn't even provide an interesting definition of software security. Pointing at less than complete implementations of smtp and ftp makes your entire argument suspect. Also the "auditing secure software is easy" comment is another dead give away.
No.
Vulnerable to denial of service attack
Potentially vulnerable to remote exploits (unknown currently)
For a client (e.g. mail client) using OpenSSL
that the software we take for granted every day is being given such stiff auditing. I mean, sure it sucks to patch so often, but honestly, wouldnt you rather read this and patch before some jackass releases a public exploit, and every 15 year old that cant find something better to do decides to take down a production box?