My next class:

Updated OpenSSL Patch Presentation

Published: 2014-06-05. Last Updated: 2014-06-05 23:32:48 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

I recorded an updated Internet Storm Center Briefing for today's OpenSSL patches. It corrects a couple of mistakes from this afternoon's live presentation and adds additional details to CVE-2014-0195.

 

Presentation Slides (PDF)

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: openssl
5 comment(s)
My next class:

Comments

Anyone heard of a way to test systems after patching? Metasploit modules, NMap / Python scripts validated?

Anonymous

Jun 6th 2014
1 decade ago

sadly I haven't seen any yet. These may be difficult to test for safely. The DoS issues may crash the server, so does the remote code execution vulnerability at this point. The MitM may be scannable but I haven't seen it yet.

Anonymous

Jun 6th 2014
1 decade ago

Thanks Johannes! Been listening to you for a long time now. I'll say hi in person if we're even in the same city at the same time.

Anonymous

Jun 6th 2014
1 decade ago

[quote=comment#31149]Anyone heard of a way to test systems after patching? Metasploit modules, NMap / Python scripts validated?[/quote]

RedHat made a Perl script checker available for testing for the CVE-2014-0224 (Change Cipher Spec) vulnerability. You might need a support contract to access (not sure), but it's at: https://access.redhat.com/labs/ccsinjectiontest/fake-client-early-ccs.pl . If you leave off the filename from that URL, it presents (or did yesterday) an online tester that will scan a server remotely from their system.

Anonymous

Jun 6th 2014
1 decade ago

I just reviewed my Qualys scan results. Qualys seems to have the ability to identify the vulnerability since it reported several devices in my scan.

Robert

Anonymous

Jun 9th 2014
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives