Peppermint OS Community Forum

Support => Advanced Topics => Topic started by: acer on March 01, 2016, 02:33:31 pm

Title: openSSL DROWN vulnerability/ exploit
Post by: acer on March 01, 2016, 02:33:31 pm
Hi all, it's been a while since I last posted, so much so, I had to reactivate my forum account  :o

Does this DROWN affect peppermint in any way or is it website servers only?
Will this be updated soon?
Seems to be critical along the same lines as Heartbleed a few years ago.

SSL TLS1.2 data can be intercepted whilst encrypted en-route to server/s from my understanding.

Title: Re: openSSL DROWN vulnerability/ exploit
Post by: GNULINUX on March 01, 2016, 03:27:28 pm
Found this article: DROWN Attack (https://thehackernews.com/2016/03/drown-attack-openssl-vulnerability.html)  ;)

Quote
However, the good news is that academic researchers uncovered the DROWN security hole and a patch for the vulnerability has already been made available with an OpenSSL update today.

Tuesday, March 01, 2016
Title: Re: openSSL DROWN vulnerability/ exploit
Post by: PCNetSpec on March 01, 2016, 04:14:44 pm
Nothing the client/webrowser can do (so not really a Peppermint problem unless you use it as a webserver) .. only server administrators who's servers allow SSL v2 connections can fix this.

there was an openssl securityupdate this morning .. but currently I can find nothing on whether CVE-2016-0800 was specifically addressed by it
http://www.ubuntu.com/usn/usn-2914-1/

If you're asking if your Peppermint PC is at risk .. no more (or less) than any other PC that connects to a webserver that has SSL v2 enabled.

Before anyone asks, the Peppermint webservers do not currently have SSL enabled ;)

[EDIT]

According to the Debian tracker:
https://security-tracker.debian.org/tracker/CVE-2016-0800

SSLv2 was dropped in openssl 1.0.1.c
and disabled in ns 3.13

Peppermint 5/6 is running
openssl 1.0.1f
ns 3.21
so even if you're running Peppermint 5 or 6 as a webserver I don't think it's affected in the first place
Title: Re: openSSL DROWN vulnerability/ exploit
Post by: acer on March 02, 2016, 05:39:11 am
Thanks PCNETSPEC, that's re-assuring to know, as well as the facts for the additional info.  ;D
Title: Re: openSSL DROWN vulnerability/ exploit
Post by: PCNetSpec on March 02, 2016, 07:40:42 am
No problem acer :)

Further info - Ubuntu  have released an advisory confirming 12.04 and 14.04 (so therefore Peppermint 3/5/6) are "not-affected" by CVE-2016-0800 (DROWN) as their versions of openssl are "compiled with no-ssl2"
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0800.html
Title: Re: openSSL DROWN vulnerability/ exploit
Post by: GNULINUX on March 02, 2016, 10:10:12 am
^^ PCNetSpec (http://forum.peppermintos.com/index.php?action=profile;u=4), thanks for that link!  ;)

So it seems that the openSSL updates of today included other patches (http://people.canonical.com/~ubuntu-security/cve/pkg/openssl.html)!
Spoiler (click here to view / hide)
(http://i.imgur.com/ZR00sN4.png)
[close]

I hope that the servers/sites that are affected do update their openSSL as fast as possible or at least disable SSLv2...  ;)
Title: Re: openSSL DROWN vulnerability/ exploit
Post by: PCNetSpec on March 02, 2016, 10:31:28 am
Yep, you can find info on Ubuntu security updates here:
http://www.ubuntu.com/usn/
and on the Ubuntu CVE (Common Vulnerabilities and Exposure) Tracker Report here:
http://people.canonical.com/~ubuntu-security/cve/main.html
Title: Re: openSSL DROWN vulnerability/ exploit
Post by: GNULINUX on March 02, 2016, 11:01:20 am
Going to save your links for future reference, really good stuff!  8)
Title: Re: openSSL DROWN vulnerability/ exploit
Post by: PCNetSpec on March 02, 2016, 11:13:48 am
Or the ones for 2016 listed in reverse date order here:
http://people.canonical.com/~ubuntu-security/cve/2016/?C=M;O=D
Title: Re: openSSL DROWN vulnerability/ exploit
Post by: acer on March 02, 2016, 02:42:44 pm
Going to save your links for future reference, really good stuff!  8)
Ditto