Choose style:

Author Topic: openSSL DROWN vulnerability/ exploit  (Read 1434 times)

0 Members and 1 Guest are viewing this topic.

Offline acer

  • Member
  • ***
  • Posts: 242
  • Karma: 28
    • View Profile
  • Peppermint version(s): Peppermint 9R x86/ 10 x64
openSSL DROWN vulnerability/ exploit
« on: March 01, 2016, 02:33:31 pm »
Hi all, it's been a while since I last posted, so much so, I had to reactivate my forum account  :o

Does this DROWN affect peppermint in any way or is it website servers only?
Will this be updated soon?
Seems to be critical along the same lines as Heartbleed a few years ago.

SSL TLS1.2 data can be intercepted whilst encrypted en-route to server/s from my understanding.


Offline GNULINUX

  • Trusted User
  • Member
  • *****
  • Posts: 987
  • Karma: 311
    • View Profile
  • Peppermint version(s): Peppermint Six (x64)
Re: openSSL DROWN vulnerability/ exploit
« Reply #1 on: March 01, 2016, 03:27:28 pm »
Found this article: DROWN Attack  ;)

Quote
However, the good news is that academic researchers uncovered the DROWN security hole and a patch for the vulnerability has already been made available with an OpenSSL update today.

Tuesday, March 01, 2016
Peppermint 6  (x64)   -   Windows 7 Ultimate SP1  (x64)
Running different OS flavors in VirtualBox, just for fun!

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26138
  • Karma: 2846
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: openSSL DROWN vulnerability/ exploit
« Reply #2 on: March 01, 2016, 04:14:44 pm »
Nothing the client/webrowser can do (so not really a Peppermint problem unless you use it as a webserver) .. only server administrators who's servers allow SSL v2 connections can fix this.

there was an openssl securityupdate this morning .. but currently I can find nothing on whether CVE-2016-0800 was specifically addressed by it
http://www.ubuntu.com/usn/usn-2914-1/

If you're asking if your Peppermint PC is at risk .. no more (or less) than any other PC that connects to a webserver that has SSL v2 enabled.

Before anyone asks, the Peppermint webservers do not currently have SSL enabled ;)

[EDIT]

According to the Debian tracker:
https://security-tracker.debian.org/tracker/CVE-2016-0800

SSLv2 was dropped in openssl 1.0.1.c
and disabled in ns 3.13

Peppermint 5/6 is running
openssl 1.0.1f
ns 3.21
so even if you're running Peppermint 5 or 6 as a webserver I don't think it's affected in the first place
« Last Edit: March 01, 2016, 04:45:58 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline acer

  • Member
  • ***
  • Posts: 242
  • Karma: 28
    • View Profile
  • Peppermint version(s): Peppermint 9R x86/ 10 x64
Re: openSSL DROWN vulnerability/ exploit
« Reply #3 on: March 02, 2016, 05:39:11 am »
Thanks PCNETSPEC, that's re-assuring to know, as well as the facts for the additional info.  ;D

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26138
  • Karma: 2846
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: openSSL DROWN vulnerability/ exploit
« Reply #4 on: March 02, 2016, 07:40:42 am »
No problem acer :)

Further info - Ubuntu  have released an advisory confirming 12.04 and 14.04 (so therefore Peppermint 3/5/6) are "not-affected" by CVE-2016-0800 (DROWN) as their versions of openssl are "compiled with no-ssl2"
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0800.html
« Last Edit: March 02, 2016, 07:49:24 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline GNULINUX

  • Trusted User
  • Member
  • *****
  • Posts: 987
  • Karma: 311
    • View Profile
  • Peppermint version(s): Peppermint Six (x64)
Re: openSSL DROWN vulnerability/ exploit
« Reply #5 on: March 02, 2016, 10:10:12 am »
^^ PCNetSpec, thanks for that link!  ;)

So it seems that the openSSL updates of today included other patches!
Spoiler (click here to view / hide)
[close]

I hope that the servers/sites that are affected do update their openSSL as fast as possible or at least disable SSLv2...  ;)
Peppermint 6  (x64)   -   Windows 7 Ultimate SP1  (x64)
Running different OS flavors in VirtualBox, just for fun!

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26138
  • Karma: 2846
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: openSSL DROWN vulnerability/ exploit
« Reply #6 on: March 02, 2016, 10:31:28 am »
Yep, you can find info on Ubuntu security updates here:
http://www.ubuntu.com/usn/
and on the Ubuntu CVE (Common Vulnerabilities and Exposure) Tracker Report here:
http://people.canonical.com/~ubuntu-security/cve/main.html
« Last Edit: March 02, 2016, 10:39:24 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline GNULINUX

  • Trusted User
  • Member
  • *****
  • Posts: 987
  • Karma: 311
    • View Profile
  • Peppermint version(s): Peppermint Six (x64)
Re: openSSL DROWN vulnerability/ exploit
« Reply #7 on: March 02, 2016, 11:01:20 am »
Going to save your links for future reference, really good stuff!  8)
Peppermint 6  (x64)   -   Windows 7 Ultimate SP1  (x64)
Running different OS flavors in VirtualBox, just for fun!

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26138
  • Karma: 2846
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: openSSL DROWN vulnerability/ exploit
« Reply #8 on: March 02, 2016, 11:13:48 am »
Or the ones for 2016 listed in reverse date order here:
http://people.canonical.com/~ubuntu-security/cve/2016/?C=M;O=D
« Last Edit: March 02, 2016, 11:16:35 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline acer

  • Member
  • ***
  • Posts: 242
  • Karma: 28
    • View Profile
  • Peppermint version(s): Peppermint 9R x86/ 10 x64
Re: openSSL DROWN vulnerability/ exploit
« Reply #9 on: March 02, 2016, 02:42:44 pm »
Going to save your links for future reference, really good stuff!  8)
Ditto