lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJ4XoYcYxw3O+3QPzqUGfpg0VXc+GpKWG0tS8oj162E6TB0hBg@mail.gmail.com>
Date: Tue, 15 Apr 2014 14:33:57 -0400
From: Dotzero <dotzero@...il.com>
To: Gabriel Brezi <gb@...rau.lc>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Auditing systems for vulnerable 3rd-party OpenSSL

On Tue, Apr 15, 2014 at 1:53 PM, Gabriel Brezi <gb@...rau.lc> wrote:
> I'm advising a client on auditing his systems for vulnerable OpenSSL
> libs which may be included by 3rd-parties. Does anyone know of some
> relatively simple tools that I can leverage to figure out what
> applications were bundled with out of date libs? Most of the focus will
> be Linux and OSX systems.
>

If they were bundled with out of date libs then they were most likely
on 0.9.8(probably e) and not vulnerable. I'm just saying. It's folks
who were more current that were more likely to be vulnerable to this
particular issue. I can't say much about OSX but what I've seen in
checking is that many apps are simply using whatever OpenSSL is on the
OS.

In thinking about auditiing for this, don't forget infrastructure
(firewalls, VPNs - specifically SSL based ones, things such as IP
based security cameras that are managed over SSL (hooray, embedded
devices devices firmware upgrades - wonder how long it will take for
vendor upgrades to be available). Also don't forget 3rd party managed
services (think both the implementation AND the customer portal).
Seeing as this sort of auditing requires thinking about...well...
everything, it's a good time to be collecting/validating/updating info
on what all you have in your environment.
>
>
> I'll cover as much as I can by automating ldd, nm, JAR unpackers and
> UPX. I'll have to contact developers directly if I find evidence of
> obfuscation tools. Can someone add to this list of concerns or weigh in
> on any existing tools that can automate part of this process?
>
>
>
> I don't know OSX so well so extra advice for this platform is helpful.
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ