Category Archives: Bugs

The OpenSSL Vulnerability – CVE-2015-1793

Severity: High     

What is OpenSSL?
OpenSSL is a general purpose cryptography library that implements a cryptographic security protocol called TLS/SSL, and puts the “S” in HTTPS for many websites.

The Vulnerability
Hackers can lure or misdirect a user to a bogus website/ email server, and any other internet service using TLS/SSL for its secure communication so as to trick the user into thinking that they are somewhere legitimate and secure.

Effects of the bug
A hacker may be able to create a certificate in someone else’s name, and then to sneak it past OpenSSL’s certificate verifcation process without triggering a warning, even though the certificate isn’t signed by a trusted CA.

How big is the risk?
Four OpenSSL versions are affected:
• Versions 1.0.2b and 1.0.2c need updating to 1.0.2d. (The -a sub-version is immune.)
• Versions 1.0.1n and 1.0.1o need updating to 1.0.1p. (Sub-versions up to and including -n are immune.)
• All 0.9.8 versions are immune.
• All 1..0 versions are immune.

What to do?
If you are using any of the above OpenSSL versions you need to update.

References
https://www.openssl.org/news/secadv_20150709.txt

Advertisements

‘Heartbleed’ critical bug affecting most websites in Kenya

OpenSSL is used by most of websites in Kenya (most i come across are open source and made from joomla), so the flaw impacts almost everyone who is using open source web servers like Apache and nginx . Those not impacted by this two year-old bug are immune either because their websites don’t support SSL or they’re using outdated versions of OpenSSL.Heartbleed Bug

“Open SSL is a widely used technology for secure communication over the Internet. In general, that means it was implemented to protect secure data and communications to prevent unauthorized access to information. This vulnerability means attackers can gain access to information, transactions, and other sensitive or valuable data with little restriction – it is very serious.” Dwayne Melancon, CTO of Tripwire (CSO Online, 2014)

For more indepth analysis i have re blogged Codenomicon, 2001-2014 url: http://heartbleed.com/ Continue reading ‘Heartbleed’ critical bug affecting most websites in Kenya