Zpět na seznam aktualit     Zpět na aktualitu

Komentáře k aktualitě

 
 
 BBCode
Mikina | 31.172.30.*4.7.2014 21:14
Zdravím,
již opravdu nevím jak dále opravit SSL na serveru, nic moc mě nenapadá při nálezu této zranitelnosti, právě jsem kompiloval OpenSSL na zaplatovanou verzi OpenSSL 1.0.1h a ta chyba CVE 2014-224 se opakuje. Chyba CVE 2014-160 (Heartbleed) se po krátkých testech s pomocí scriptu neukázala.

Použivám v podstatě vlastní certifikát, generovaný dle návodu vna stránkách pro Lighttpd server, kterému se tím pádem otevřel SSL port a tak k němu šifrovaný přístup. Jedná se pouze o jednoduchý kapesní web umístěný v SD kartě telefonu. Ale říkám si, že OpenSSL, by mohlo být méně zranitelné :)

Reporty:

--Test SSL server 127.0.0.1 on port 443

Supported Server Cipher(s):
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 168 bits DHE-RSA-DES-CBC3-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 168 bits DHE-RSA-DES-CBC3-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits RC4-SHA

Prefered Server Cipher(s):
SSLv3 256 bits DHE-RSA-AES256-SHA
TLSv1 256 bits DHE-RSA-AES256-SHA

-- Test - CVE-2014-0224

python ./OSSL_CCS_InjectTest.py 127.0.0.1 443

***CVE-2014-0224 Detection Tool v0.2***
Brought to you by Tripwire VERT (@TripwireVERT)
[TLSv1.2] 127.0.0.1:443 rejected early CCS
[TLSv1.1] 127.0.0.1:443 rejected early CCS

[TLSv1] 127.0.0.1:443 allows early CCS
[SSLv3] 127.0.0.1:443 allows early CCS

***This System Exhibits Potentially Vulnerable Behavior***

--Test pro SSL heartbeat zranitelnost (CVE-2014-0160)

python ./ssltest-tsl.py 127.0.0.1

Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0301, length = 53
... received message: type = 22, ver = 0301, length = 890
... received message: type = 22, ver = 0301, length = 652
... received message: type = 22, ver = 0301, length = 4
Sending heartbeat request...
... received message: type = 21, ver = 0302, length = 2
Received alert:
0000: 02 46 .F

Server returned error, likely not vulnerable

--Konfigurace pro spuštění make

./Configure linux-generic32 --prefix=/usr --openssldir=/etc/ssl --libdir=lib shared zlib-dynamic -DOPENSSL_NO_HEARTBEATS

--openssl version

OpenSSL 1.0.1h 5 Jun 2014

/opt/source# openssl version -a
OpenSSL 1.0.1h 5 Jun 2014
built on: Fri Jul 4 02:08:20 CEST 2014
platform: linux-generic32
options: bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfish(ptr)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_HEARTBEATS -DTERMIO -O3 -fomit-frame-pointer -Wall
OPENSSLDIR: "/etc/ssl"

Také jsem nalezl web, kde je vše pro CVE 2014-224 v pořádku, ale web má tím pádem placený certifikát, tak nevím nakolik to s OpenSSL souvisí...

/opt/source# proxychains4 python ./OSSL_CCS_InjectTest.py 162.159.246.246 443

[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so
[proxychains] DLL init

***CVE-2014-0224 Detection Tool v0.2***

Brought to you by Tripwire VERT (@TripwireVERT)
[proxychains] Strict chain ... 127.0.0.1:9050 ... 162.159.246.246:443 ... OK

[TLSv1.2] 162.159.246.246:443 rejected early CCS
[proxychains] Strict chain ... 127.0.0.1:9050 ... 162.159.246.246:443 ... OK

[TLSv1.1] 162.159.246.246:443 rejected early CCS
[proxychains] Strict chain ... 127.0.0.1:9050 ... 162.159.246.246:443 ... OK

[TLSv1] 162.159.246.246:443 rejected early CCS
[proxychains] Strict chain ... 127.0.0.1:9050 ... 162.159.246.246:443 ... OK

[SSLv3] 162.159.246.246:443 rejected early CCS
No need to patch.
-------------
/opt/pentest/sslscan# ./sslscan --bugs --no-failed 162.159.246.246:443
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|

Version 1.8.2
[link]
Copyright Ian Ventura-Whiting 2009

Testing SSL server 162.159.246.246 on port 443

Supported Server Cipher(s):
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 168 bits ECDHE-RSA-DES-CBC3-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits ECDHE-RSA-RC4-SHA
Accepted TLSv1 128 bits RC4-SHA

Prefered Server Cipher(s):
SSLv3 128 bits AES128-SHA
TLSv1 128 bits ECDHE-RSA-AES128-SHA

SSL Certificate:
Version: 2
Serial Number: -4294967295
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
Not valid before: Jul 3 14:30:07 2014 GMT
Not valid after: Jan 28 17:43:27 2019 GMT
Subject: /C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=ssl6784.cloudflare.com
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Public-Key: (2048 bit)
Modulus:
00:bc:30:8a:b1:39:f3:71:f0:1b:37:c2:bd:e2:88:
ce:4a:1b:9f:79:9a:5d:e1:e2:f5:b8:3d:cd:e4:34:
6f:4a:ac:2e:6a:0b:58:a1:98:7a:64:da:dc:11:23:
76:59:be:f8:02:74:01:9e:3c:7e:63:9f:56:df:24:
0e:8b:7a:56:b1:8c:4e:6e:66:b8:d7:f6:51:82:32:
2e:29:8c:ba:0a:a0:c1:9a:8f:ee:84:b1:39:ba:10:
dd:ad:f4:11:a3:e7:dc:09:28:bf:c2:bd:36:77:54:
d7:23:92:e3:6d:ca:54:0f:fe:48:c3:93:55:66:0a:
62:70:d2:76:27:f7:b6:c2:08:82:bc:be:ae:c0:e7:
30:0a:86:3a:09:5c:b3:9d:57:07:f0:96:20:1e:bc:
0a:3b:a8:6c:05:ed:dd:27:6a:02:cc:9d:25:21:dc:
ab:9e:c2:c4:c6:d0:73:1a:16:37:84:1a:ef:2c:0c:
08:c9:d3:28:ed:a6:f3:bc:90:95:d6:20:c1:10:62:
76:9e:5a:c8:ff:90:08:a9:fc:a8:b2:ec:e4:78:50:
2e:ee:21:f3:5d:fb:f3:82:bb:b9:0b:e8:50:c6:8a:
b4:07:52:49:11:1b:63:f6:ff:de:61:a6:cd:bc:2a:
f6:d5:b9:16:16:19:c4:f2:56:fa:53:01:93:35:ea:
92:43
Exponent: 65537 (0x10001)
X509v3 Extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.2
CPS: [link]

X509v3 Subject Alternative Name:
DNS:ssl6784.cloudflare.com, DNS:filmdikizle.com, DNS:jav188.com, DNS:*.lanhdiamu.vn, DNS:*.kiosbalita.com, DNS:*.pronon.se, DNS:*.teachingtheart.com, DNS:catalyst.org, DNS:filippo.io, DNS:pronon.se, DNS:teachingtheart.com, DNS:*.toptentalk.com, DNS:toptentalk.com, DNS:*.socialjew.com, DNS:socialjew.com, DNS:*.atamba.de, DNS:atamba.de, DNS:*.libres-et-heureux.com, DNS:*.proquro.eu, DNS:*.facebooker.dk, DNS:*.hoobly.com, DNS:dvs.vn, DNS:toptenarticle.com, DNS:proquro.eu, DNS:*.dvs.vn, DNS:hoobly.com, DNS:*.jav188.com, DNS:kiosbalita.com, DNS:*.photoboothdallas.org, DNS:photoboothdallas.org, DNS:afinadoronline.com.br, DNS:*.catalyst.org, DNS:*.trademarks.directory, DNS:lanhdiamu.vn, DNS:facebooker.dk, DNS:*.filmdikizle.com, DNS:dubaipearl.com, DNS:libres-et-heureux.com, DNS:*.filippo.io, DNS:*.toptenarticle.com, DNS:*.dubaipearl.com, DNS:*.afinadoronline.com.br, DNS:trademarks.directory
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:

Full Name:
URI:[link]

Authority Information Access:
CA Issuers - URI:[link]
OCSP - URI:[link]

X509v3 Subject Key Identifier:
8A:37:60:80:69:A8:C9:88:04:2F:71:A1:70:9E:85:DD:9B:64:FA:31
X509v3 Authority Key Identifier:
keyid:5D:46:B2:8D:C4:4B:74:1C:BB:ED:F5:73:B6:3A:B7:38:8F:75:9E:7E

Verify Certificate:
unable to get local issuer certificate
Emkei | E-mail | Website | PGP4.7.2014 8:38
aktualizováno z testing větve na verzi OpenSSL 1.0.1i-dev, Debian Squeeze bohužel ve stable větvi novější verze než 0.9.8o nenabízí.
Mikina | 176.10.100.*3.7.2014 22:36
Na tuto chybu je mozna nachylne OpenSSL i na SOOM.

/opt/source# python ./OSSL_CCS_InjectTest.py 46.167.245.70 443
***CVE-2014-0224 Detection Tool v0.2***
Brought to you by Tripwire VERT (@TripwireVERT)
[TLSv1.2] 46.167.245.70:443 rejected early CCS
[TLSv1.1] 46.167.245.70:443 rejected early CCS
[TLSv1] 46.167.245.70:443 allows early CCS
[SSLv3] 46.167.245.70:443 allows early CCS
***This System Exhibits Potentially Vulnerable Behavior***

Mikina | 37.130.227.*6.6.2014 19:55
Opraveno ve verzi OpenSSL 1.0.1g ...
více: [link]

Stránky: 1