| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Apr 2014 11:10:31 -0400
From: David H <ispcolohost@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
I'm curious if anyone has noticed issues connecting to remote hosts after
installing the RHEL/CentOS patch?
For example, the CyberSource payment gateway is no longer accessible from a
patched server. The gateway has the URL
https://ics2ws.ic3.com/commerce/1.x/transactionProcessor. Before the patch:
# rpm -qa|grep openssl
openssl-1.0.0-27.el6_4.2.x86_64
openssl-devel-1.0.0-27.el6_4.2.x86_64
root@...db:~# openssl s_client -connect ics2ws.ic3.com:443
CONNECTED(00000003)
depth=3 C = US, O = Entrust.net, OU = www.entrust.net/CPS incorp. by ref.
(limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Secure
Server Certification Authority
verify return:1
depth=2 C = US, O = "Entrust, Inc.", OU = www.entrust.net/CPS is
incorporated by reference, OU = "(c) 2006 Entrust, Inc.", CN = Entrust Root
Certification Authority
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is
incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust
Certification Authority - L1E
verify return:1
depth=0 C = US, ST = California, L = Mountain View,
1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, O =
Cybersource Corporation, businessCategory = Private Organization,
serialNumber = 2838921, CN = ics2ws.ic3.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain
View/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/O=Cybersource
Corporation/businessCategory=Private Organization/serialNumber=2838921/CN=
ics2ws.ic3.com
i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by
reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1E
1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by
reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1E
i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by
reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
2 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by
reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority
3 s:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority
i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority
---
Server certificate
<<<cert cut for email brevity>>>
subject=/C=US/ST=California/L=Mountain
View/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/O=Cybersource
Corporation/businessCategory=Private Organization/serialNumber=2838921/CN=
ics2ws.ic3.com
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by
reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1E
---
No client certificate CA names sent
---
SSL handshake has read 5289 bytes and written 422 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
F7BAF7C639F01658797E1ECA788A21DB81A9577BA7489FC1D50A6AA00A697959
Session-ID-ctx:
Master-Key:
8244297B5ACF81A8996F49862B7AA8A164B63A2B002C9B9F309C825E44ABFE610463F1E24752390A883ABA3EE8AF7A9D
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1396968550
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
and after:
# openssl s_client -connect ics2ws.ic3.com:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 263 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
This is of course a bad thing if you're hosting ecommerce sites on the
servers in question lol.
On Tue, Apr 8, 2014 at 7:59 AM, Jann Horn <jann@...jh.net> wrote:
> On Tue, Apr 08, 2014 at 10:23:26AM +0200, Joerg Mertin wrote:
> > Ubuntu already has released:
> > http://www.ubuntu.com/usn/usn-2165-1/
> >
> > My server updated during the night :}
>
> Make sure that it actually worked! I did this after updating my debian
> server:
>
> root@...jh:/home/jann# for pid in $(grep -F
> '/usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (deleted)' /proc/*/maps | cut
> -d/ -f3 | sort -u); do cat /proc/$pid/cmdline | tr '\0' ' '; echo; done
> /usr/lib/erlang/erts-5.9.1/bin/beam -Bd -K true -A 4 -- -root
> /usr/lib/erlang -progname erl -- -home /var/lib/couchdb -- -noshell
> -noinput -os_mon start_memsup false start_cpu_sup false
> disk_space_check_interval 1 disk_almost_full_threshold 1 -sasl errlog_type
> error -couch_ini /etc/couchdb/default.ini /etc/couchdb/local.ini
> /etc/couchdb/default.ini /etc/couchdb/local.ini -s couch -pidfile
> /var/run/couchdb/couchdb.pid -heart
> /usr/bin/couchjs /usr/share/couchdb/server/main.js
> /usr/bin/couchjs /usr/share/couchdb/server/main.js
> /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
> /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
> /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
> /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
> /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
> /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
> /usr/bin/python /usr/lib/mailman/bin/mailmanctl -s -q start
> /usr/bin/python /var/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s
> /usr/bin/python /var/lib/mailman/bin/qrunner --runner=BounceRunner:0:1 -s
> /usr/bin/python /var/lib/mailman/bin/qrunner --runner=CommandRunner:0:1 -s
> /usr/bin/python /var/lib/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s
> /usr/bin/python /var/lib/mailman/bin/qrunner --runner=NewsRunner:0:1 -s
> /usr/bin/python /var/lib/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s
> /usr/bin/python /var/lib/mailman/bin/qrunner --runner=VirginRunner:0:1 -s
> /usr/bin/python /var/lib/mailman/bin/qrunner --runner=RetryRunner:0:1 -s
> /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
> /usr/lib/postfix/master
> /usr/sbin/vsftpd
> /usr/bin/znc -d /etc/znc
> pickup -l -t fifo -u -c
> anvil -l -t unix -u -c
> smtpd -n smtp -t inet -u -c -o stress= -s 2
> irssi
> /usr/sbin/openvpn --writepid /var/run/openvpn.tun0.pid --daemon ovpn-tun0
> --cd /etc/openvpn --config /etc/openvpn/tun0.conf
> qmgr -l -t fifo -u
> tlsmgr -l -t unix -u -c
>
> So, yeah, it did replace the library file, but stunnel, couchdb, lighttpd,
> postfix, vsftpd and so on are still using the old version. You have to
> manually restart those services... :D
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists