Updated OpenSSL Patch Presentation

Published: 2014-06-05
Last Updated: 2014-06-05 23:32:48 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

I recorded an updated Internet Storm Center Briefing for today's OpenSSL patches. It corrects a couple of mistakes from this afternoon's live presentation and adds additional details to CVE-2014-0195.

 

Presentation Slides (PDF)

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: openssl
5 comment(s)

Comments

Anyone heard of a way to test systems after patching? Metasploit modules, NMap / Python scripts validated?
sadly I haven't seen any yet. These may be difficult to test for safely. The DoS issues may crash the server, so does the remote code execution vulnerability at this point. The MitM may be scannable but I haven't seen it yet.
Thanks Johannes! Been listening to you for a long time now. I'll say hi in person if we're even in the same city at the same time.
[quote=comment#31149]Anyone heard of a way to test systems after patching? Metasploit modules, NMap / Python scripts validated?[/quote]

RedHat made a Perl script checker available for testing for the CVE-2014-0224 (Change Cipher Spec) vulnerability. You might need a support contract to access (not sure), but it's at: https://access.redhat.com/labs/ccsinjectiontest/fake-client-early-ccs.pl . If you leave off the filename from that URL, it presents (or did yesterday) an online tester that will scan a server remotely from their system.
I just reviewed my Qualys scan results. Qualys seems to have the ability to identify the vulnerability since it reported several devices in my scan.

Robert

Diary Archives