Topic: Security flaw found in almost all crypto related software - page 2. (Read 3394 times)
So another exchanges could go down?
Seems limited to the process but very dangerous nonetheless.
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
Quote
When I heard about it, I figured that 64KB wasn't enough to look for things like secret keys. The heap, on x86 at least, grows up, so I figured that pl would simply read into newly allocated memory, such as bp. Keys and the like would be allocated earlier, so you wouldn't be able to read them. Of course, with modern malloc implementations, this isn't always true.
And further, you won't be able to read the memory of any other process, so those "business critical documents" would need to be in memory of the process, less than 64KB, and be nearby pl.
And further, you won't be able to read the memory of any other process, so those "business critical documents" would need to be in memory of the process, less than 64KB, and be nearby pl.
you can say that again! bloody everything runs on openssl ffs.
CGA and YACC will be updated soon, keep an eye out and make sure you update your wallets when the time comes. Most of the pools are now updated.
Very real issue if your website is using https with openssl 1.0
The proof of concept leaks keys, cookie data, username/password etc. I would hold off on logging into many of the homegrown exchanges for a few until they address it.
The proof of concept leaks keys, cookie data, username/password etc. I would hold off on logging into many of the homegrown exchanges for a few until they address it.
Seems limited to the process but very dangerous nonetheless.
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
Quote
When I heard about it, I figured that 64KB wasn't enough to look for things like secret keys. The heap, on x86 at least, grows up, so I figured that pl would simply read into newly allocated memory, such as bp. Keys and the like would be allocated earlier, so you wouldn't be able to read them. Of course, with modern malloc implementations, this isn't always true.
And further, you won't be able to read the memory of any other process, so those "business critical documents" would need to be in memory of the process, less than 64KB, and be nearby pl.
And further, you won't be able to read the memory of any other process, so those "business critical documents" would need to be in memory of the process, less than 64KB, and be nearby pl.
It apparently lets attackers get dumps of 64k of memory at a time.
It wasn't clear whether that memory is limited to memory assigned that process or memory accessible by the user running the process.
If sshd runs as root maybe all RAM on the entire machine can be dumped?
If so all code running on a machine that has an effected ssh daemon is presumably wide open to having its RAM dumped thus any secrets it contains discovered.
So it might not matter whether a specific program uses OpenSSL but rather whether something remotely connectable to such as an ssh daemon uses it.
-MarkM-
It wasn't clear whether that memory is limited to memory assigned that process or memory accessible by the user running the process.
If sshd runs as root maybe all RAM on the entire machine can be dumped?
If so all code running on a machine that has an effected ssh daemon is presumably wide open to having its RAM dumped thus any secrets it contains discovered.
So it might not matter whether a specific program uses OpenSSL but rather whether something remotely connectable to such as an ssh daemon uses it.
-MarkM-
I really don't know a lot about coding vulnerabilities but i bet anything code samples are making their rounds already..
all people have to do is google search a vulnerability and then download a proof of concept source code example and compile it.
and the nature of the vulnerability does sound like something to me Coin devs should pay attention to as well as Pool operators and miner coders etc
across the board this could have some major implications i think..
all people have to do is google search a vulnerability and then download a proof of concept source code example and compile it.
and the nature of the vulnerability does sound like something to me Coin devs should pay attention to as well as Pool operators and miner coders etc
across the board this could have some major implications i think..
It's not so much of a coin being vulnerable, as it is a node or pool website running with an unpatched version of OpenSSL (if ssl is enabled). The only way for a coin dev to insure that their coin is not "vulnerable" is to require the patched version for it to compile correctly.
How many miners have SSL enabled on their wallets?
How many miners have SSL enabled on their wallets?
shit.
In what way would a bitcoind be vulnerable? Does it use ssl vor transport security?
In what way would a bitcoind be vulnerable? Does it use ssl vor transport security?
http://www.neowin.net/news/openssl-affected-by-heartbleed-zero-day-vulnerability
So.. i opened up my Vertcoin wallet and i see it is vulnerable using 1.0.1'c'
Miners are also often vulnerable many use OpenSSL.
I know i have had to download and install it many times working on miner mods.
So lets see what coins are real and which are fake currency pyramid scheme clones that will not get fixed.
Only real devs will address a security concern ..if they know how lol
Quote
A new security flaw affecting OpenSSL, the popular cryptographic protocol used by many websites, has been discovered and is reported to be very serious.
According to the Heartbleed website, the zero-day vulnerability found in OpenSSL affects the stable version 1.0.1 and the 1.0.2 beta version. Older versions of OpenSSL such as 0.9.8 used in Mac OS and iOS and 1.0.0 are not vulnerable to "Heartbleed". Although the vulnerability has been addressed in OpenSSL's version 1.0.1g, it is present in prior versions up to 1.0.1f. Exploiting this flaw, hackers can obtain primary and secondary SSL keys in addition to directly hijacking data being transferred over HTTPS.
Some web companies such as CloudFlare which provides security services for other websites, have used methods recommended by OpenSSL and patched the "Heartbleed" flaw but the methods are not ready for broad deployment according to a report from ZDNet.
Open source firms Red Hat, Debian, SuSE, Canonical, and Oracle are reportedly working hard to patch the OpenSSL vulnerability in their operating systems and are expected to release the patches in 12 hours. Administrators are advised to deploy these patches for operating systems and network equipment as soon as they are made available by manufacturers and software developers.
According to the Heartbleed website, the zero-day vulnerability found in OpenSSL affects the stable version 1.0.1 and the 1.0.2 beta version. Older versions of OpenSSL such as 0.9.8 used in Mac OS and iOS and 1.0.0 are not vulnerable to "Heartbleed". Although the vulnerability has been addressed in OpenSSL's version 1.0.1g, it is present in prior versions up to 1.0.1f. Exploiting this flaw, hackers can obtain primary and secondary SSL keys in addition to directly hijacking data being transferred over HTTPS.
Some web companies such as CloudFlare which provides security services for other websites, have used methods recommended by OpenSSL and patched the "Heartbleed" flaw but the methods are not ready for broad deployment according to a report from ZDNet.
Open source firms Red Hat, Debian, SuSE, Canonical, and Oracle are reportedly working hard to patch the OpenSSL vulnerability in their operating systems and are expected to release the patches in 12 hours. Administrators are advised to deploy these patches for operating systems and network equipment as soon as they are made available by manufacturers and software developers.
So.. i opened up my Vertcoin wallet and i see it is vulnerable using 1.0.1'c'
Miners are also often vulnerable many use OpenSSL.
I know i have had to download and install it many times working on miner mods.
So lets see what coins are real and which are fake currency pyramid scheme clones that will not get fixed.
Only real devs will address a security concern ..if they know how lol
Jump to: