A must read

jl66 · 8 Apr 2014, 05:06 PM

http://heartbleed.com/

I hope it can be solved soon.

FredOnline · 8 Apr 2014, 09:08 PM

To those who, like me, thought this was a link to a dodgy web site.

Through another route, I found this:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library.

jl66 · 8 Apr 2014, 09:15 PM

Quote:

Originally Posted by FredOnline

To those who, like me, thought this was a link to a dodgy web site.

lol Fred

Yes, a new bug in Openssl...

dbowdley · 8 Apr 2014, 09:35 PM

Yes, this is a genuine issue and we have spent the hours immediately after this news broke checking our various systems and making changes where necessary.

jl66 · 9 Apr 2014, 01:32 AM

Quote:

Originally Posted by dbowdley

Yes, this is a genuine issue and we have spent the hours immediately after this news broke checking our various systems and making changes where necessary.

Those are great news, thanks a lot for such a good work

jl66 · 9 Apr 2014, 01:41 AM

Yes,
sslabs.com added to test the server the "heartbleed" vulnerability, but runbox appears as OK

Thank you RB team.

https://www.ssllabs.com/ssltest/anal...l?d=runbox.com

Geir · 9 Apr 2014, 06:41 AM

Thanks for bringing this to our attention (along with others).

We upgraded OpenSSL on our servers and reissued our SSL certificates as soon as we heard about it.

Keep in mind that Runbox supports Perfect Forward Secrecy, which issues unique key pairs for each connection. This would prevent any eavesdropper from retroactively decrypting communications between server and client even if they managed to get the private key.

http://blog.runbox.com/2013/10/runbo...rward-secrecy/

- Geir

smithmb001 · 9 Apr 2014, 08:40 AM

Here are a couple of alerts from Entrust and Dell SecureWorks.

------
Entrust -

As diligent corporate citizens, we are advising you of a new threat called the Heartbleed Bug that has been reported by some researchers at Codenomicon and Google. Heartbleed attacks the heartbeat extension (RFC 6520) implemented in OpenSSL. The official reference to the Heartbleed bug is CVE-2014-0160.

Heartbleed allows an attacker to read the memory of a system over the Internet and compromise the private keys, names, passwords and content. An attack is not logged and would not be detectable. The attack can be from client to server or server to client.

Heartbleed is not a flaw with the SSL/TLS protocol specification, nor is it a flaw with the Entrust certification authority (CA), our certificates or the certificate management system. Heartbleed is an implementation bug that affects servers using certain versions of OpenSSL (v1.0.1 - v1.0.1f).

-----
Dell SecureWorks-

The Dell SecureWorks Counter Threat Unit(TM) (CTU) research team has been investigating a critical vulnerability in the OpenSSL cryptographic library. This vulnerability, which has been assigned CVE identifier CVE-2014-0160 and is also known as the "Heartbleed Bug," allows anyone on the Internet to read the memory of systems protected by vulnerable versions of the OpenSSL software. This issue should be considered extremely critical due to its impact, long exposure, ease of exploitation, the absence of application logs indicating an exploit attempt and the widespread availability of exploit code.

The flaw resides in the OpenSSL implementation of the TLS/DTLS (Transport Layer Security) protocols' heartbeat extension (RFC6520) due to a missing bounds check. This vulnerability reveals 64KB of memory per request to a connected client or server. An attacker can keep reconnecting or can keep requesting an arbitrary number of 64KB chunks of memory content during an active TLS connection until they have achieved their objectives.

The vulnerability was independently discovered by a member of the Google Security team and by a team of security engineers at Codenomicon. Proof-of-concept (PoC) code to exploit this vulnerability exists. OpenSSL versions 1.0.1 through 1.0.1f (inclusive) and version 1.0.2-beta are vulnerable; branches 1.0.0 and 0.9.8 are not vulnerable.

Recommended actions:

This vulnerability is resolved in OpenSSL version 1.0.1g. According to the OpenSSL advisory, version 1.0.2 will be fixed via 1.0.2-beta2. The CTU research team recommends upgrading immediately.

Products that use OpenSSL libraries, such as SSL termination devices, load balancers, secure web gateways , web application firewalls, and other embedded devices, may also be vulnerable. Clients should coordinate vulnerability status and mitigation steps with appropriate vendors.

After patching the vulnerability, revoke any primary key material (e.g., X.509 certificates and private keys) used by a vulnerable TLS service, and issue and distribute new keys. In addition, consider potential compromise of secondary key material, such as usernames and passwords exchanged with a vulnerable TLS endpoint. Reset secondary key material such as passwords and encryption keys, and invalidate and reset any exposed session keys and session cookies.

Dell SecureWorks actions:

Dell SecureWorks CTU researchers created the following iSensor countermeasure to detect exploitation of CVE-2014-0160. Signatures for third-party managed devices will be deployed, as they are made available by their respective vendors.
- 50174 VID59478 OpenSSL TLS/DTLS Large Heartbeat Response

--

FredOnline · 11 Apr 2014, 02:04 AM

http://blog.runbox.com/2014/04/heart...vulnerability/

emebrs · 11 Apr 2014, 02:03 PM

The account page currently lists recent webmail sessions. Does it also list recent IMAP sessions? Since I do not use IMAP, knowing if someone else got in through IMAP would be very useful in the wake of these sorts of security events.

jl66 · 12 Apr 2014, 03:23 PM

Quote:

Originally Posted by emebrs

The account page currently lists recent webmail sessions. Does it also list recent IMAP sessions? Since I do not use IMAP, knowing if someone else got in through IMAP would be very useful in the wake of these sorts of security events.

I don´t see my recent IMAP sessions in the list. I think it only lists the webmail sessions.

dbowdley · 12 Apr 2014, 05:03 PM

It does only list webmail sessions.

Listing IMAP sessions could generate a very long list if we are talking about every single IMAP login. Some people check email every few minutes, whereas a webmail session is usually longer.

What might be possible at some point is to list the last x number of IPs that attempted to log in to the account via IMAP, POP and SMTP.

FredOnline · 12 Apr 2014, 05:06 PM

Quote:

Originally Posted by dbowdley

What might be possible at some point is to list the last x number of IPs that attempted to log in to the account via IMAP, POP and SMTP.

Yes, this would be useful - but please get 2FA up and running for webmail asap.

jl66 · 12 Apr 2014, 07:36 PM

Quote:

Originally Posted by FredOnline

Yes, this would be useful - but please get 2FA up and running for webmail asap.

I agree

eierkopf · 13 Apr 2014, 09:31 PM

Quote:

Originally Posted by jl66

I agree

!!! please get it up asap !!!

8 Apr 2014, 05:06 PM	#1
jl66 Essential Contributor Join Date: Oct 2013 Posts: 413	A must read http://heartbleed.com/ I hope it can be solved soon.

9 Apr 2014, 08:40 AM	#8
smithmb001 Senior Member Join Date: May 2013 Posts: 162	Security Advisory - OpenSSL TLS/DTLS Here are a couple of alerts from Entrust and Dell SecureWorks. ------ Entrust - As diligent corporate citizens, we are advising you of a new threat called the Heartbleed Bug that has been reported by some researchers at Codenomicon and Google. Heartbleed attacks the heartbeat extension (RFC 6520) implemented in OpenSSL. The official reference to the Heartbleed bug is CVE-2014-0160. Heartbleed allows an attacker to read the memory of a system over the Internet and compromise the private keys, names, passwords and content. An attack is not logged and would not be detectable. The attack can be from client to server or server to client. Heartbleed is not a flaw with the SSL/TLS protocol specification, nor is it a flaw with the Entrust certification authority (CA), our certificates or the certificate management system. Heartbleed is an implementation bug that affects servers using certain versions of OpenSSL (v1.0.1 - v1.0.1f). ----- Dell SecureWorks- The Dell SecureWorks Counter Threat Unit(TM) (CTU) research team has been investigating a critical vulnerability in the OpenSSL cryptographic library. This vulnerability, which has been assigned CVE identifier CVE-2014-0160 and is also known as the "Heartbleed Bug," allows anyone on the Internet to read the memory of systems protected by vulnerable versions of the OpenSSL software. This issue should be considered extremely critical due to its impact, long exposure, ease of exploitation, the absence of application logs indicating an exploit attempt and the widespread availability of exploit code. The flaw resides in the OpenSSL implementation of the TLS/DTLS (Transport Layer Security) protocols' heartbeat extension (RFC6520) due to a missing bounds check. This vulnerability reveals 64KB of memory per request to a connected client or server. An attacker can keep reconnecting or can keep requesting an arbitrary number of 64KB chunks of memory content during an active TLS connection until they have achieved their objectives. The vulnerability was independently discovered by a member of the Google Security team and by a team of security engineers at Codenomicon. Proof-of-concept (PoC) code to exploit this vulnerability exists. OpenSSL versions 1.0.1 through 1.0.1f (inclusive) and version 1.0.2-beta are vulnerable; branches 1.0.0 and 0.9.8 are not vulnerable. Recommended actions: This vulnerability is resolved in OpenSSL version 1.0.1g. According to the OpenSSL advisory, version 1.0.2 will be fixed via 1.0.2-beta2. The CTU research team recommends upgrading immediately. Products that use OpenSSL libraries, such as SSL termination devices, load balancers, secure web gateways , web application firewalls, and other embedded devices, may also be vulnerable. Clients should coordinate vulnerability status and mitigation steps with appropriate vendors. After patching the vulnerability, revoke any primary key material (e.g., X.509 certificates and private keys) used by a vulnerable TLS service, and issue and distribute new keys. In addition, consider potential compromise of secondary key material, such as usernames and passwords exchanged with a vulnerable TLS endpoint. Reset secondary key material such as passwords and encryption keys, and invalidate and reset any exposed session keys and session cookies. Dell SecureWorks actions: Dell SecureWorks CTU researchers created the following iSensor countermeasure to detect exploitation of CVE-2014-0160. Signatures for third-party managed devices will be deployed, as they are made available by their respective vendors. - 50174 VID59478 OpenSSL TLS/DTLS Large Heartbeat Response --

11 Apr 2014, 02:04 AM	#9
FredOnline The "e" in e-mail Join Date: Apr 2011 Location: Manchester UK Posts: 2,616	Today's Runbox Blog http://blog.runbox.com/2014/04/heart...vulnerability/

8 Apr 2014, 09:08 PM	#2
FredOnline The "e" in e-mail Join Date: Apr 2011 Location: Manchester UK Posts: 2,616	To those who, like me, thought this was a link to a dodgy web site. Through another route, I found this: The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library.

8 Apr 2014, 09:35 PM	#4
dbowdley Cornerstone of the Community Join Date: Nov 2008 Location: UK Posts: 549 Representative of: Runbox.com	Yes, this is a genuine issue and we have spent the hours immediately after this news broke checking our various systems and making changes where necessary.

9 Apr 2014, 01:41 AM	#6
jl66 Essential Contributor Join Date: Oct 2013 Posts: 413	Yes, sslabs.com added to test the server the "heartbleed" vulnerability, but runbox appears as OK Thank you RB team. https://www.ssllabs.com/ssltest/anal...l?d=runbox.com

9 Apr 2014, 06:41 AM	#7
Geir The "e" in e-mail Join Date: Sep 2001 Location: Oslo, Norway Posts: 2,938 Representative of: Runbox.com	Thanks for bringing this to our attention (along with others). We upgraded OpenSSL on our servers and reissued our SSL certificates as soon as we heard about it. Keep in mind that Runbox supports Perfect Forward Secrecy, which issues unique key pairs for each connection. This would prevent any eavesdropper from retroactively decrypting communications between server and client even if they managed to get the private key. http://blog.runbox.com/2013/10/runbo...rward-secrecy/ - Geir

11 Apr 2014, 02:03 PM	#10
emebrs Essential Contributor Join Date: Dec 2012 Posts: 343	The account page currently lists recent webmail sessions. Does it also list recent IMAP sessions? Since I do not use IMAP, knowing if someone else got in through IMAP would be very useful in the wake of these sorts of security events.

12 Apr 2014, 05:03 PM	#12
dbowdley Cornerstone of the Community Join Date: Nov 2008 Location: UK Posts: 549 Representative of: Runbox.com	It does only list webmail sessions. Listing IMAP sessions could generate a very long list if we are talking about every single IMAP login. Some people check email every few minutes, whereas a webmail session is usually longer. What might be possible at some point is to list the last x number of IPs that attempted to log in to the account via IMAP, POP and SMTP.