Pages:
Author

Topic: Security flaw found in almost all crypto related software (Read 3412 times)

member
Activity: 81
Merit: 1002
It was only the wind.
you went off on me pretty hard buddy i was not trying to spread fud or panic etc.
i said here is what i know..
i never claimed to understand fully what the security risk was.. what i stated is it COULD have a wide range of implications.

so you flamed me for that and it seemed tad much.

But don't worry i will get over it lol ...i haz butthurt !!! frownfacesss !!!!!!

Sorry.
legendary
Activity: 1344
Merit: 1001
Okay, non-FUD time.  Here is a list of things you may have done with Bitcoin that would make you vulnerable.

1.  Used RPC to communicate with a bitcoind daemon over the network. 
(localhost doesn't open this hole)

2.  Used the new 'payment protocol' that came out with V9 two days before
heartbleed was announced.

3.  Run an OpenSSL-enabled webserver (which is most of them) on the same
machine as your bitcoind while you had your wallet open.  Web servers are too
complex for anyone to ever assume that they are secure, so this would have been
a bad idea anyway.

4.  Used a password to encrypt your wallet that you also use at some website
which was run on a vulnerable server (which is most of them).  It may have
been compromised by someone attacking that site.  Reusing passwords is always
stupid, but then again, people who know better still often do it, so it's worth
mentioning.

If you did one of those things, while someone who knew about heartbleed was paying attention, then they may have your password and/or keys. 

Whether or not you did one of those things, you should change all your passwords every so often anyway and now is a better time than most.


Very informative, thank you for this summary.
legendary
Activity: 924
Merit: 1132
Okay, non-FUD time.  Here is a list of things you may have done with Bitcoin that would make you vulnerable.

1.  Used RPC to communicate with a bitcoind daemon over the network. 
(localhost doesn't open this hole)

2.  Used the new 'payment protocol' that came out with V9 two days before
heartbleed was announced.

3.  Run an OpenSSL-enabled webserver (which is most of them) on the same
machine as your bitcoind while you had your wallet open.  Web servers are too
complex for anyone to ever assume that they are secure, so this would have been
a bad idea anyway.

4.  Used a password to encrypt your wallet that you also use at some website
which was run on a vulnerable server (which is most of them).  It may have
been compromised by someone attacking that site.  Reusing passwords is always
stupid, but then again, people who know better still often do it, so it's worth
mentioning.

If you did one of those things, while someone who knew about heartbleed was paying attention, then they may have your password and/or keys. 

Whether or not you did one of those things, you should change all your passwords every so often anyway and now is a better time than most.



legendary
Activity: 1540
Merit: 1011
FUD Philanthropist™
you went off on me pretty hard buddy i was not trying to spread fud or panic etc.
i said here is what i know..
i never claimed to understand fully what the security risk was.. what i stated is it COULD have a wide range of implications.

so you flamed me for that and it seemed tad much.

But don't worry i will get over it lol ...i haz butthurt !!! frownfacesss !!!!!!
legendary
Activity: 1344
Merit: 1001
Could someone explain me how someone could take advantage on my wallet opened on my PC using this vulnerability?

They can't. Unless you use bitcoin: links.

Thought so. Thanks.
full member
Activity: 126
Merit: 100
Đogecoin 1.6.1 fixed this issue yesterday.  Wink
https://github.com/dogecoin/dogecoin/issues/434
legendary
Activity: 1540
Merit: 1011
FUD Philanthropist™
http://www.neowin.net/news/openssl-affected-by-heartbleed-zero-day-vulnerability

Quote
A new security flaw affecting OpenSSL, the popular cryptographic protocol used by many websites, has been discovered and is reported to be very serious.

According to the Heartbleed website, the zero-day vulnerability found in OpenSSL affects the stable version 1.0.1 and the 1.0.2 beta version. Older versions of OpenSSL such as 0.9.8 used in Mac OS and iOS and 1.0.0 are not vulnerable to "Heartbleed". Although the vulnerability has been addressed in OpenSSL's version 1.0.1g, it is present in prior versions up to 1.0.1f. Exploiting this flaw, hackers can obtain primary and secondary SSL keys in addition to directly hijacking data being transferred over HTTPS.

Some web companies such as CloudFlare which provides security services for other websites, have used methods recommended by OpenSSL and patched the "Heartbleed" flaw but the methods are not ready for broad deployment according to a report from ZDNet.

Open source firms Red Hat, Debian, SuSE, Canonical, and Oracle are reportedly working hard to patch the OpenSSL vulnerability in their operating systems and are expected to release the patches in 12 hours. Administrators are advised to deploy these patches for operating systems and network equipment as soon as they are made available by manufacturers and software developers.

So.. i opened up my Vertcoin wallet and i see it is vulnerable using 1.0.1'c'
Miners are also often vulnerable many use OpenSSL.
I know i have had to download and install it many times working on miner mods.

So lets see what coins are real and which are fake currency pyramid scheme clones that will not get fixed.
Only real devs will address a security concern ..if they know how lol

First, yawn, knew about this for like two days already.

Second, I hope you're not using linux, because if you are, OpenSSL is not compiled in, it's linked to the lib on your system.

Also, miners are not vulnerable, quit spreading FUD. You don't know what you're talking about.

Oh, and even if the wallet IS vulnerable, the only way it can be exploited is through bitcoin: links or RPC SSL, and if you don't know what RPC SSL is, you're not using it.

Seems limited to the process but very dangerous nonetheless.

http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

Quote
When I heard about it, I figured that 64KB wasn't enough to look for things like secret keys. The heap, on x86 at least, grows up, so I figured that pl would simply read into newly allocated memory, such as bp. Keys and the like would be allocated earlier, so you wouldn't be able to read them. Of course, with modern malloc implementations, this isn't always true.

And further, you won't be able to read the memory of any other process, so those "business critical documents" would need to be in memory of the process, less than 64KB, and be nearby pl.

Why does everyone think you can only read 64KB? You can only read that much using one heartbeat. By sending more, you can read an arbitrary amount of memory.

can you talk with out being an asshole ?

and what i use is of no use to this conversion but if you must know i use backtrack or khali when i use linux.

and no i don't spread FUD ever.. i spread FACTS

you do look like an idiot right now by the way because anyone that had to download the OpenSSL project binaries to work on coding a miner
is going to know exactly what i am talking about.. You know it doesn't take much to check your facts rather than running your mouth eh
so off the top of my head i will give you two examples to put your big mouth in its place and maybe next time you feel compelled to tell me off
..you can check your facts first.

example no. 1 - Cudaminer needed to use OpenSSL SHA.h in the main c file and used an alternate hashing function to support Max coin.
example no. 2 - ALL miners pretty much use LibCurl and they may depending on the dev's preferences use OpenSSL with that Library.

care to spout off some more jack ass ?

edit:
and your mouthing off and bragging you knew about the vulnerability but didn't say anything to us all ? yaaawn Huh
sorry to bore you lol
i guess we should delete the Topic Wolf is bored right ? hahaa

you can find "the FUD" (the include) on line 38 in the file cpu-miner.c in Cudaminer version 2014-02-09
where it says..

Code:
#include
legendary
Activity: 1696
Merit: 1008


Cryptogenic Bullion clients updated with fix here!

 Grin
legendary
Activity: 1344
Merit: 1001
Could someone explain me how someone could take advantage on my wallet opened on my PC using this vulnerability?
legendary
Activity: 1484
Merit: 1005
It apparently lets attackers get dumps of 64k of memory at a time.

It wasn't clear whether that memory is limited to memory assigned that process or memory accessible by the user running the process.

If sshd runs as root maybe all RAM on the entire machine can be dumped?

If so all code running on a machine that has an effected ssh daemon is presumably wide open to having its RAM dumped thus any secrets it contains discovered.

So it might not matter whether a specific program uses OpenSSL but rather whether something remotely connectable to such as an ssh daemon uses it.

-MarkM-


ssh isn't vulnerable
http://security.stackexchange.com/questions/55076/what-should-a-website-operator-do-about-the-heartbleed-openssl-exploit

but you should maybe regenerate your key pairs in case a server using openssl somehow leaked them
legendary
Activity: 924
Merit: 1132
FWIW, the capabilities of bitcoind which definitely are exposed to this bug are as follows: 


If you have used RPC over the network to talk to bitcoind, your SSL keys have been exposed to a possible attacker who was exploiting this bug at the time.

If you have used the new "Payment protocol" capabilities of the most recent client over the network, your SSL keys have been exposed to a potential attacker exploiting this bug.

As far as I know, those are the only vulnerabilities in the bitcoind versions published prior to today. 

Anyway - it is worthwhile to change all your keys and passwords every so often anyway; this is a kick in the shorts to do it, but we should be doing it occasionally anyway.

sr. member
Activity: 369
Merit: 250
Cryptsy.com • Got Shitcoins?
shit.

In what way would a bitcoind be vulnerable? Does it use ssl vor transport security?


As far as Bitcoin goes, this vulnerability has already been patched: https://bitcoin.org/en/release/v0.9.1

Spoet, I am curious too as to which alt coins affected will be fixed and how fast that fix happens. Wink
legendary
Activity: 924
Merit: 1000
interesting replies.. i didn't look into it figured people smarter than me on that stuff would ..i hoped anyway lol

nice to see the header news message on the top of the forum though and a fast response from the community already.
we need to do what we can to keep confidence in crypto's we've already had enough bad news last couple months Sad

Yep, it's the dark days.

But it could be worse. You could be down 80+% on your BTC stake...in other words, it could be December 2011.   Wink Grin 
legendary
Activity: 1540
Merit: 1011
FUD Philanthropist™
interesting replies.. i didn't look into it figured people smarter than me on that stuff would ..i hoped anyway lol

nice to see the header news message on the top of the forum though and a fast response from the community already.
we need to do what we can to keep confidence in crypto's we've already had enough bad news last couple months Sad
legendary
Activity: 924
Merit: 1132
But it looks like the vulnerability was actually below the level of CAs.


It appears I wasn't cynical enough.

Correction:  it looks like A vulnerability was below the level of the CAs.
legendary
Activity: 980
Merit: 1004
As predicted CGA dev has released a new wallet that fixes the heartbleed flaw. As you can see the CGA team is actively working to secure the coin. Please whitelist CGA in regards to your future shitcoin cleaning initiatives.
legendary
Activity: 924
Merit: 1132
http://www.bbc.com/news/technology-26935905

News story. 

I knew shit was getting out that openSSL ought to have protected - it's one of the reasons I ranted about the CA certs in the new bitcoind.

But it looks like the vulnerability was actually below the level of CAs.

legendary
Activity: 924
Merit: 1000
http://www.neowin.net/news/openssl-affected-by-heartbleed-zero-day-vulnerability

Quote
A new security flaw affecting OpenSSL, the popular cryptographic protocol used by many websites, has been discovered and is reported to be very serious.

According to the Heartbleed website, the zero-day vulnerability found in OpenSSL affects the stable version 1.0.1 and the 1.0.2 beta version. Older versions of OpenSSL such as 0.9.8 used in Mac OS and iOS and 1.0.0 are not vulnerable to "Heartbleed". Although the vulnerability has been addressed in OpenSSL's version 1.0.1g, it is present in prior versions up to 1.0.1f. Exploiting this flaw, hackers can obtain primary and secondary SSL keys in addition to directly hijacking data being transferred over HTTPS.

Some web companies such as CloudFlare which provides security services for other websites, have used methods recommended by OpenSSL and patched the "Heartbleed" flaw but the methods are not ready for broad deployment according to a report from ZDNet.

Open source firms Red Hat, Debian, SuSE, Canonical, and Oracle are reportedly working hard to patch the OpenSSL vulnerability in their operating systems and are expected to release the patches in 12 hours. Administrators are advised to deploy these patches for operating systems and network equipment as soon as they are made available by manufacturers and software developers.

So.. i opened up my Vertcoin wallet and i see it is vulnerable using 1.0.1'c'
Miners are also often vulnerable many use OpenSSL.
I know i have had to download and install it many times working on miner mods.

So lets see what coins are real and which are fake currency pyramid scheme clones that will not get fixed.
Only real devs will address a security concern ..if they know how lol

Thanks for passing on the info in a straight-to-the-point manner. Much appreciated.
Pages:
Jump to: