Skip to main content

Topic: OpenSSL vulnerability and Client Side Software ? (Read 8430 times)

OpenSSL vulnerability and Client Side Software ?
As I browsed the Heise news today I came along this headline Horror-Bug in OpenSSL (German Side) which is about this vulnerability ("Heartbleed Bug") and is in OpenSSL since December 2011.
Because that Bug affects both sides (client-server &| server-client) I am asking myself which version of OpenSSL is implemented in e.g. Opera 12.16. Anyone any ideas?

  • Frenzie
  • [*][*][*][*][*]
  • Administrator
Re: OpenSSL vulnerability and Client Side Software ?
Reply #1
Unless it's a version from before late 2011, I'd count on it being vulnerable. I'm not sure how to find out.

Re: OpenSSL vulnerability and Client Side Software ?
Reply #2
Yeah, how to find out is the big question here - about:config is just citing:

Quote

OpenSSL License - Copyright © 1998-2011 The OpenSSL Project


Would be a shame if this would mean the end of Opera 12.16 (and if so, to which earlier version one should fall back - as I am still not willing to give up on that browser & mail client) :/

  • ersi
  • [*][*][*][*][*]
Re: OpenSSL vulnerability and Client Side Software ?
Reply #3
This about OpenSSL versions coming with Linux distros: "...there is no reliable, portable way to check SSL versions across Linux distributions, because they all use their own backported patches and updates with different version numbering schemes. You will have to look up the fixed version number for each different distribution of Linux you run, and check the installed OpenSSL version against that distribution's specific version numbering to determine if your servers are running a vulnerable version or not." http://serverfault.com/questions/587324/heartbleed-how-to-reliably-and-portably-check-the-openssl-version

I suppose this applies even more to OpenSSL versions integrated to programs. To find out the versions will be a hacking headache.

  • Frenzie
  • [*][*][*][*][*]
  • Administrator
Re: OpenSSL vulnerability and Client Side Software ?
Reply #4
Yeah, how to find out is the big question here - about:config is just citing:

I know, opera:about is the first place I checked.

  • Frenzie
  • [*][*][*][*][*]
  • Administrator
Re: OpenSSL vulnerability and Client Side Software ?
Reply #5
I posted the question here. Hopefully we'll have an answer soon.

Re: OpenSSL vulnerability and Client Side Software ?
Reply #6
As I understand it, it's a server-side exploit and not a client-side one.
Through the exploit random chunks of data are obtained from the RAM. All data contained in that memory space (usernames, passwords, ssl cert chunks, emails, ...) of the server can be exposed.
Since the memory space is small the attacker will have to keep exploiting in order to collect the entire target and to put pieces together.

The vulnerability has existed since December 31, 2011.
A sad example why security/trust in open source software shouldn't be overrated - "the more eyes the better".

  • Frenzie
  • [*][*][*][*][*]
  • Administrator
Re: OpenSSL vulnerability and Client Side Software ?
Reply #7
I don't know; the website also says this:
When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

  • ersi
  • [*][*][*][*][*]
Re: OpenSSL vulnerability and Client Side Software ?
Reply #8
The vulnerability looks actually catastrophic. It's exploitable not only in browsers or people's computers, but anywhere OpenSSL is used, which means practically anywhere you log in - exploitable on the server side and/or client side, as the exploiter chooses. This is what the quote by Frenzie seems to mean.

Most of internet is made up of log-in accounts these days. This does not look good.

Re: OpenSSL vulnerability and Client Side Software ?
Reply #9

When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

Technically correct.
However it's not the browser which gets attacked and exploited but the server. So it does not make any difference which browser you are using.
As I mentioned before, it's a server-side exploit.
Only if you are using your system as a server/service (most people don't) then your server (using the unfixed OpenSSL) is vulnerable too.

Affected servers/services:
1. should inform their user base
2. should revoke their old certificates after fixing the bug
3. should request their user base to change passwords after the bug was fixed and new certs have been distributed

Wonder how many services will obey those steps. ::)

Edit: BTW, DnD isn't affected :)

  • Frenzie
  • [*][*][*][*][*]
  • Administrator
Re: OpenSSL vulnerability and Client Side Software ?
Reply #10
However it's not the browser which gets attacked and exploited but the server. So it does not make any difference which browser you are using.

But my point is that being connected with an unpatched browser to an unpatched server has got to be worse than being connected with a patched browser to an unpatched server. Here's a somewhat clearer quote:
Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.

Re: OpenSSL vulnerability and Client Side Software ?
Reply #11

But my point is that being connected with an unpatched browser to an unpatched server has got to be worse than being connected with a patched browser to an unpatched server.

Maybe, we can keep speculating on this.
However I would prefer a browser (patched or not) connected to a patched server :)


Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.

Broadly speaking, pieces of OpenSSL are also in phones/Google's Android OS and many other software (OpenVPN, Tor,...) even security software like corporate firewalls.
ATM, developers are trying to find out if they are also vulnerable and if so how to patch them as soon as possible.

  • ersi
  • [*][*][*][*][*]
Re: OpenSSL vulnerability and Client Side Software ?
Reply #12
You got an answer. It's hilarious: "Opera 12 doesn't support SSL heartbeat and is not affected." https://vivaldi.net/forum/web-standards/410-client-side-ssl#6125 It's like saying the old version of Windows doesn't support this recently released virus.

  • Frenzie
  • [*][*][*][*][*]
  • Administrator
Re: OpenSSL vulnerability and Client Side Software ?
Reply #13
It looks like the entirety of Vivaldi.net is presently broken. No matter where I try to go, I get "The requested page cannot be found."

Anyway, thanks for the answer. That's a relief.

  • jax
  • [*][*][*][*][*]
  • Global Moderator
Re: OpenSSL vulnerability and Client Side Software ?
Reply #14

You got an answer. It's hilarious: "Opera 12 doesn't support SSL heartbeat and is not affected." https://vivaldi.net/forum/web-standards/410-client-side-ssl#6125 It's like saying the old version of Windows doesn't support this recently released virus.


The answer is pretty much to the point, and it is poor coding, not a virus. This article has a fine explanation of the whole debacle.

  • Frenzie
  • [*][*][*][*][*]
  • Administrator
Re: OpenSSL vulnerability and Client Side Software ?
Reply #15
I prefer the xkcdplanation.

  • ersi
  • [*][*][*][*][*]
Re: OpenSSL vulnerability and Client Side Software ?
Reply #16

The answer is pretty much to the point, and it is poor coding, not a virus.
I know it's poor coding. Virus is also "poor coding" for the victim. But for the cracker it's a feature. Bugs can be called "unexpected features" from the other point of view.

Anyway, the answer is to the point because OpenSSL incorporated in Opera didn't have the feature/module that does the heartbeat thing. Am I understanding correctly? I don't know what the heartbeat thing is and why Opera would not "support" it (I find the answer dubious as long as it's impossible to verify), but this seems to be the rationale behind the answer - that OpenSSL incorporated in Opera was compiled without the vulnerable code for some reason.

Re: OpenSSL vulnerability and Client Side Software ?
Reply #17
Quote
The Presto engine used in Opera 12 and older does use OpenSSL, but not the features of OpenSSL which contained the vulnerability. Hence Presto is not vulnerable, on any platform. This includes Opera Mini and Opera Mail, which use Presto. Opera Mini encryption between the client and proxy is also unaffected. Opera 14 and higher runs on Chromium, Desktop versions do not use OpenSSL. Android versions do, but not the features which contained the vulnerability. Coast by Opera only uses OpenSSL for certification information, not any parts of the vulnerable code. So the short version is that Opera products are not vulnerable*. Opera will of course use plugins, and may also use or call system functions or libraries, so even if you are using Opera, you should still make sure your system is secured and up to date.

* No absolutes without caveats. Even though Presto does not use any vulnerable parts of OpenSSL, the standalone autoupdater for Opera 12 on Windows does. However, the autoupdater will only connect to our server, and close the connection if the certificate does not validate, so the certificate holders are the only ones who can abuse it. If someone should have stolen our certificate with a heartbleed attack against our servers, they might potentially use it against the autoupdater. The autoupdater runs in a separate process, and doesn't have much memory to leak, but might potentially leak system information in such a case, such as local username on Windows machines. We aim to get an update out soon. An attack on the autoupdate mechanism itself would still have to bypass additional protections.
source

  • Frenzie
  • [*][*][*][*][*]
  • Administrator
Re: OpenSSL vulnerability and Client Side Software ?
Reply #18
 Frenzie merrily continues using Opera 12.16.


Edit: speaking of which, I just noticed Vivaldi.net only gives me that error message in Opera 12.16. It seems to work fine in other browsers.

Edit 2: clearing out my Vivaldi cookies seems to have fixed it. Does that mean I might finally stay logged in for more than five minutes?

Edit 3: ersi, I saw that.  :ninja:

  • ersi
  • [*][*][*][*][*]
Re: OpenSSL vulnerability and Client Side Software ?
Reply #19
Mageia and Manjaro issued updates to their OpenSSL libraries yesterday. I have no clue what the updates do, but I am installing them. From Manjaro blog: "A vulnerability has been discovered in OpenSSL's support for the TLS/DTLS Hearbeat extension. ---- According to the currently available information, private keys should be considered as compromised and regenerated as soon as possible." http://manjaro.org/2014/04/10/fourth-update-pack-for-manjaro-0-8-9-online/

Sounds catastrophic. Except that I don't have any private keys, but I still wonder who gets access to my bank account. The security there depends on the bank whom I never trusted.

Re: OpenSSL vulnerability and Client Side Software ?
Reply #20
At least some good news  :chef:, after I recently replaced my beloved xp x64 (ok, server 2003 support ends next year and those updates could be patched manually to be applied on xp x64 (See either MSFN or RyanVM Forum)) with Win7Pro i am not eager to also switch my browser anytime soon  :spock:

Btw.: Autoupdate - Presto? They still have that service running? I thought they had shut it down after it was compromised, or is my memory wrong that there was a topic in the old OF (Either in the General or Windows Opera Browser Forum) that some people got malware infected updates via the AU?

  • Frenzie
  • [*][*][*][*][*]
  • Administrator
Re: OpenSSL vulnerability and Client Side Software ?
Reply #21
To my recollection the breach was fixed with a real fix, not by shutting it down. (Also, easily confirmed by checking for updates in Opera 11 and 12.)

  • Macallan
  • [*][*][*][*][*]
  • Administrator
Re: OpenSSL vulnerability and Client Side Software ?
Reply #22

Unless it's a version from before late 2011, I'd count on it being vulnerable. I'm not sure how to find out.

IIRC 1.0 1.0.1x are affected, the fix is in 1.0.1g.

  • Macallan
  • [*][*][*][*][*]
  • Administrator
Re: OpenSSL vulnerability and Client Side Software ?
Reply #23

As I browsed the Heise news today I came along this headline Horror-Bug in OpenSSL (German Side) which is about this vulnerability ("Heartbleed Bug") and is in OpenSSL since December 2011.
Because that Bug affects both sides (client-server &| server-client) I am asking myself which version of OpenSSL is implemented in e.g. Opera 12.16. Anyone any ideas?

On unixlike OSes probably whatever came with the OS.

  • Macallan
  • [*][*][*][*][*]
  • Administrator
Re: OpenSSL vulnerability and Client Side Software ?
Reply #24

As I understand it, it's a server-side exploit and not a client-side one.

I'm not so sure, heartbeats can go both ways IIRC.


The vulnerability has existed since December 31, 2011.
A sad example why security/trust in open source software shouldn't be overrated - "the more eyes the better".

If it was closed source who knows if the bug would have been found or published by now ( and it's not like there aren't any closed source SSL implementations ). But yeah, open source being inherently more secure is nonsense.