Security :: Vulnerability - 1.0.x Branch Of OpenSSL That Potentially Allows SSL Servers To Compromise Clients
Aug 10, 2010
Quote: Security expert Georgi Guninski has pointed out a security issue in the 1.0 branch of OpenSSL that potentially allows SSL servers to compromise clients. Apparently the hole can be exploited simply by sending a specially crafted certificate to the client, causing deallocated memory to be accessed in the ssl3_get_key_exchange function (in ssls3_clnt.c). While this usually only causes an application to crash, it can potentially also be exploited to execute injected code.
Malware Potentially Implicated in 2008 Fatal Plane Crash in SpainQuote:Investigators looking into the crash of Spanair Flight 5022 at Madrid International Airport on August 20, 2008, killing 154, found that the airline's central computer system used to monitor technical problems in its fleet was infected with malware, according to this news report. The central computer system should have warned the airline that Flight 5022, an MD-82 aircraft, was having repeat mechanical problems.[URL]
So yesterday I receive a copy of the SANS @RISK security vulnerability newsletter, and, lo and behold, Mozilla's Firefox and Thunderbird are on it yet again. (Yeah, I know, shocking, isn't it?)So I quickly check what versions I have installed. Yup: Vulnerable.I check whether updates are available.These are pretty serious "remote code execution" vulnerabilities and the status is "vendor confirmed, updates available." So why isn't my 9.10 desktop's update manager telling me updates are available?
I have a virtual machine and as per the datacenter update it is compromised. From the server SSH attack is being done.I have checked last commands by running histroy command but there isn't any maliciouse command performed.
I i've virtual machine that is running BackTrack4r2. I need to use the built-in tool Metaspolit in bt for assessing the security and vulnerability in websites The prob is that i dont have any about the Metaspolit tool.
I noticed that when typing in your password after locking the screen or a screensaver, the program focussed behind it is able to catch the input...
This sounds like a huge security risk to me, is there anyone who can test this? (Only noticed with game in wine, perhaps you need low level xorg access)
I decided to report what happened me lately so that someone more clever could find the hole in the latest ubuntu. So: I have a machine connected 24/7 on high speed network. i had karmic on it. i ran openssh and apache2 (without any mod, plain apache2) on it. In addition i ran firefox, ktorrent, and amule on it. Nothing else. The system didnt have any rule in iptables.
Recently chkrootkit signaled a SuckIT rootkit in the system. I was scared, i googled for it and i saw that on ubuntu this actually happened and it was a false positive. Ok, i kept going. Yesterday i nmapped myself and i found an open port around 64000 that i couldnt see with netstat -atpnl so i concluded i was actually infected and erased the drive and tried to install lucid alpha2 so, one day of lucid,
- with a firewall this time that let open only the port 22 and 80 from internet - with only openssh as service (no apache2) - ran firefox3.6 , ktorrent and amule , nothing else
Using Opera 10.61 and 10.62, I find that any secure website I access, such as a bank, the lock icon in the address bar is replaced by a question mark. Clicking on it brings up a window, stating that the connection is not secure, that the server does not support TLS Renegotiation. Doing some internet searches for "opera tls renegotiation" brought me to a page at the Opera website, where they discuss this issue. The issue is generic, not limited to Opera, affecting the TLS protocol, and it potentially enables a man-in-the-middle to renegotiate a "secure" connection between a server and client, issuing own commands to the server. Opera has addressed the problem on the client end, but now servers need to be upgraded too. None of the HTTPS sites I have tried have upgraded their servers, if the information provided by the Opera browser is correct.
My questions: how feasible is such a MITM attack, what level of resources would such an attack require? What, if anything, would the attacker need to know about the client and/or server to mount the attack? Would I be better off using Firefox, or is Firefox simply oblivious of the problem and not issuing warnings for that reason?
Is there a free online vulnerability scanner where either I can give them the IP address to scan or can be initiated from the console command, tool, or text based browser. I use GRC's Shields Up when I have a GUI, but I want a scan ran on my website that runs Ubuntu 8.04 server on a hosted VPS.
I've got an HP Netbook with Jaunty installed, and I've got an older Dell laptop running Debian.A friend of mine, on several occasions, has told me that when I left my computers unattended he could do some kind of series of key-strokes, and then a window comes up and he says that he can change the password for my account.I've asked him to show me how he does it, but he never will because he doesn't want me to be able to thwart himIs he lying, or is it for real? if it's for real, how do I go about changing it so that it can't happen anymore?
I ran across this problem when I used checkinstall and then tried to extract the contents of data.tar.gz (which you can find inside any .deb).tar has an option to extract the contents of a file in a given directory.From tar's manpage:
I am using Nagios 3.2.4 tool with Nagios-Plugins-1.4.14 and on Red Hat Fedora Linux ver 10.1.The Apache version is 2.2.11. My security team has identified the following vulnerabilities with this version and they want me to find a fix.
1)Apache mod_proxy_ftp Module NULL Pointer Dereference Denial Of Service Vulnerability 2)Apache HTTP Server mod_proxy stream_reqbody_cl Function Denial of Service Vulnerability 3)Apache HTTP Server mod_deflate Remote Denial Of Service Vulnerability 4)Apache APR and APR-util Multiple Integer Overflow Vulnerabilities
i need to know more about openssl.In particular i'm having problems with some basic coammand-line stuff to do with signing and base64 encoding.You'll have to excuse me but i'm a security n00b. What is the command for signing some text file with a given private key and then after that base64 encoding the same file.Can this be done with a single command? what's wrong with:
Code: openssl rsautl -sign -in textfile -inkey privatekey.pem enc -base64 -in textfile or should that be: Code: openssl rsautl -sign -in textfile -inkey privatekey.pem | openssl enc -base64 -
I tried to compile C program that uses Openssl libraries on shell but got this error. I guess libraries are not linked properly. undefined reference to SSL_library_init()
but when I run "msfconsole", I got the following error messages telling me that ruby-openssl is not installed. I installed it "apt-get install libopenssl-ruby" but same message still comes again. I'm running Ubuntu 9.10.
root@qa-ud910-32-1:/opt/metasploit3/msf3/external/ruby-lorcon2# msfconsole *** The ruby-openssl library is not installed, many features will be disabled! *** Examples: Meterpreter, SSL Sockets, SMB/NTLM Authentication, and more [-] ***
When I do a "openssl x509 -in server1.pem -issuer -noout" after I've supposedly signed it with the CA, the issuer is, for some reason, the DN string of server1. If server1 generated the CSR, and it is coming up as issued by server1, doesn't that indicate a self signed cert? How could the CA be producing a cert that has an issuer of another server? Am I just completely off base? Sorry, I'm a bit of a newb with the SSL pieces.
I hope this is the right place for this, but I'm having some difficulty using the java keytool and OpenSSL tool on a Solaris system.
I have a server (CA server) with OpenSSL installed that I would like to use as a Certificate Authority. The second server (server1) is a WebLogic server with JDK 1.6.0_21. I'm trying to configure it to use a certificate that has been signed by server1.
For some reason it keeps giving me this error when I try to import the signed SSL certificate: keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Am I doing something wrong in this whole process?
1) Generate the Private Key for the CA server openssl genrsa -out CA.key -des 2048
2) Generate the CSR on the CA openssl req -new -key CA.key -out CA.csr
3) Sign the new CSR so that it can be used as the root certificate openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 730 -req -in CA.csr -out CA.pem -extfile /usr/local/ssl/openssl.cnf
4) On server1, create Server Private Key KeyStore keytool -genkey -alias server1 -keysize 2048 -keyalg RSA keystore server1.jks -dname "CN=server1.domain.com,OU=Organization,O=Company,L=City,ST=State,C=US"
5) On server1, create a CSR from the recently created Private Key keytool -certreq -alias server1 -sigalg SHA1WithRSA -keystore server1.jks -file server1.csr
6) Transfer the CSR over to the CA (server1) so that it can be signed openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 365 -req -in server1.csr -out server1.pem -extfile /usr/local/ssl/openssl.cnf
7) Transfer CA Public Cert to server1 and Import into keytool keytool -import -trustcacerts -alias CA_Public -file CA.pem -keystore server1.jks
8) Import recently signed CSR to app server keystore (This is where I receive the error) keytool -import -trustcacerts -alias server1 -file server1.pem -keystore server1.jks
I saw, there is a new OpenSSL v 1.0.0 and I wanna ask how to install it. I have this server now Apache/2.2.14 (Ubuntu) PHP/5.2.10-2ubuntu6.4 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
And I try to install by reading the Install file in the package but I still have 0.9.8k.
I'd like to upgrade libssl to 0.9.8l version on my Lucid-based server, because of CVE-2009-3555 - they say that 0.9.8l disables SSL renegotiation, fixing the security issue. But there is no 0.9.8l in Ubuntu repositories - only 0.9.8k-7 is available. how can I upgrade this library? BTW. it is really strange why such significant security fix is not available in Ubuntu repositories. why it is not available?
I have a running proxy server that I wish to also turn into a VPN server.The VPN is not used so much that a user can access the network but is used so that they can obtain a geo specific IP address for their applications (the proxy server only does this for HTTP).I would therefore like to block off the VPN from accessing any of my Linux box's ports such as email, web server etc.Clients are given local IPs of 172.16.0.x.What should I take into consideration to block off clients from accessing dangerous stuff on the network?
So since i have installed linux, I have been ready about how virus are not nearly as likely to infect linux system as windows, i am running a dual-boot though and import my profile and have a lot of my files from windows system on linux, can they potentially be infected in the windows sense?
I've small issue with blocking local clients. I mean I've webserver that I want to allow limited number to clients to that let say I've 10 users from 10.5.1.1-10 I would like to block 1-9 and allow only last client to access that webserver . Ive tried the following
Code:
iptables -A -p tcp -i eth1 -d 10.1.1.14 -s ! 10.5.1.10 -j REJECT iptables -A INPUT -p tcp -d 10.1.1.14 -i eth1 -s ! 10.5.1.10 -j DROP
I would like to install Linux based AntiVirus Server with Windows Clients. As per the existing setup, all Windows machines are using "demo" or "evaluation" copy of antivirus & all antivirus softwares are not same on all windows computers.
Someone is using Trend-Micro ,other is using Avast. Due to above listed problem,i want to implement Linux Based Free AntiVirus Server,which will be connected directly on the internet. The Linux AntiVirus server will updated it's database from Internet automatically.
Inside the Linux Server,all Windows PC's are connected in a same Local Area Connection. All windows XP computers will fetch the updated data from the Anti Virus Server. Also,i am searching MAIL RESPONDER OR POP UP Windows,when any virus found on any client machine. My company needs Cost Effective solution & Linux is the best solution for this.
My Linux server which is running my company website have been hacked. Today I saw a number of clients (customers) with some fun characters entries on my database. Access denial on really clients. Please assist, am running Linux Ubuntu 9 and I dont know where to start troubleshooting this. let me confession that I am still on the learning curve on Linux
I administrat a school in Denmark, with around 40 clients runnig xp pro and a windows 2003 server, but i read about the possibility of running a linux server, with thin clintes that can run from the server, if it has network pxe boot.
I was wondering if anybody now any links to a good how to page, on what is needed on the setup side of the server, and clients. To make it work. And i have to use my dhcp from the win 2003 server. Is that possible.
Im having a problem with our pxe environment. We have around 200 clients per server to boot from tftp and when we hit 250 the service just freezes. So, our options are to either add more servers or move to a more robust protocol. Is this feasible?? How can clients boot from ftp?
