Bitcoin Forum
November 19, 2024, 04:48:23 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Warning: One or more bitcointalk.org users have reported that they strongly believe that the creator of this topic is a scammer. (Login to see the detailed trust ratings.) While the bitcointalk.org administration does not verify such claims, you should proceed with extreme caution.
Pages: [1] 2 »  All
  Print  
Author Topic: Security flaw found in almost all crypto related software  (Read 3412 times)
Spoetnik (OP)
Legendary
*
Offline Offline

Activity: 1540
Merit: 1011


FUD Philanthropist™


View Profile
April 08, 2014, 01:17:39 PM
Last edit: April 08, 2014, 02:11:08 PM by Spoetnik
 #1

http://www.neowin.net/news/openssl-affected-by-heartbleed-zero-day-vulnerability

Quote
A new security flaw affecting OpenSSL, the popular cryptographic protocol used by many websites, has been discovered and is reported to be very serious.

According to the Heartbleed website, the zero-day vulnerability found in OpenSSL affects the stable version 1.0.1 and the 1.0.2 beta version. Older versions of OpenSSL such as 0.9.8 used in Mac OS and iOS and 1.0.0 are not vulnerable to "Heartbleed". Although the vulnerability has been addressed in OpenSSL's version 1.0.1g, it is present in prior versions up to 1.0.1f. Exploiting this flaw, hackers can obtain primary and secondary SSL keys in addition to directly hijacking data being transferred over HTTPS.

Some web companies such as CloudFlare which provides security services for other websites, have used methods recommended by OpenSSL and patched the "Heartbleed" flaw but the methods are not ready for broad deployment according to a report from ZDNet.

Open source firms Red Hat, Debian, SuSE, Canonical, and Oracle are reportedly working hard to patch the OpenSSL vulnerability in their operating systems and are expected to release the patches in 12 hours. Administrators are advised to deploy these patches for operating systems and network equipment as soon as they are made available by manufacturers and software developers.

So.. i opened up my Vertcoin wallet and i see it is vulnerable using 1.0.1'c'
Miners are also often vulnerable many use OpenSSL.
I know i have had to download and install it many times working on miner mods.

So lets see what coins are real and which are fake currency pyramid scheme clones that will not get fixed.
Only real devs will address a security concern ..if they know how lol

FUD first & ask questions later™
molecular
Donator
Legendary
*
Offline Offline

Activity: 2772
Merit: 1019



View Profile
April 08, 2014, 01:55:04 PM
 #2

shit.

In what way would a bitcoind be vulnerable? Does it use ssl vor transport security?

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
ThePeePs
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250


https://cryptassist.io


View Profile
April 08, 2014, 02:07:09 PM
 #3

It's not so much of a coin being vulnerable, as it is a node or pool website running with an unpatched version of OpenSSL (if ssl is enabled).  The only way for a coin dev to insure that their coin is not "vulnerable" is to require the patched version for it to compile correctly.

How many miners have SSL enabled on their wallets?

THE ONE STOP SOLUTION FOR THE CRYPTO WORLD
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
Facebook   /  Twitter   /  Reddit   /  Medium   /  Youtube   /
      ▄▄█████████▄▄
   ▄█████████████████▄
  █████▀▀  ███  ▀▀█████
 ████     █████     ████
████     ███████
███▀    ████ ████
███▄   ████   ████
████  ████▄▄▄▄▄████  ████
 ███████████████████████
  █████▄▄       ▄▄█████
   ▀█████████████████▀
      ▀▀█████████▀▀

▄██▀▀▀▀▀▀▀▀▀▀▀▀▀██▄
▄██▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀██▄
▄█▀                       ▀█▄
▄▄▄▄ ▄█                           █▄ ▄▄▄▄
█   ███▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀███   █
▀▀█▀                                 ▀█▀▀
▄▀                                     ▀▄
▄▄▀▄▄▄▄                                 ▄▄▄▄▀▄▄
█       ▀▀▄                           ▄▀▀       █
█          █                         █          █
█▀▀▄▄▄▄▄▄▄███▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀███▄▄▄▄▄▄▄▀▀█
▒▀▄       ██▀▀▀▀▀▀▀▀▀▀▀▀█▀█▀▀▀▀▀▀▀▀▀▀▀▀██       ▄▀▒
▒█▀▀▀▀▄▄  █              ▀              █  ▄▄▀▀▀▀█▒
▒█      █ ▀▄                           ▄▀ █      █▒
▒▀▄▀▄▄▄▄▀  █▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀█  ▀▄▄▄▄▀▄▀▒
▒▒▒▀▄▄▄▄▄ █                             █ ▄▄▄▄▄▀▒▒▒
 ▒▒▒▒▒▒▀▀▀▀▀▄▄▄▄▄▄███████████████▄▄▄▄▄▄▀▀▀▀▒▒▒▒▒▒▒
██
██
██
██
██
██
██
██
██
██
██
██
Spoetnik (OP)
Legendary
*
Offline Offline

Activity: 1540
Merit: 1011


FUD Philanthropist™


View Profile
April 08, 2014, 02:08:28 PM
 #4

I really don't know a lot about coding vulnerabilities but i bet anything code samples are making their rounds already..
all people have to do is google search a vulnerability and then download a proof of concept source code example and compile it.
and the nature of the vulnerability does sound like something to me Coin devs should pay attention to as well as Pool operators and miner coders etc
across the board this could have some major implications i think..

FUD first & ask questions later™
markm
Legendary
*
Offline Offline

Activity: 3024
Merit: 1121



View Profile WWW
April 08, 2014, 02:10:51 PM
 #5

It apparently lets attackers get dumps of 64k of memory at a time.

It wasn't clear whether that memory is limited to memory assigned that process or memory accessible by the user running the process.

If sshd runs as root maybe all RAM on the entire machine can be dumped?

If so all code running on a machine that has an effected ssh daemon is presumably wide open to having its RAM dumped thus any secrets it contains discovered.

So it might not matter whether a specific program uses OpenSSL but rather whether something remotely connectable to such as an ssh daemon uses it.

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
papersheepdog
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


View Profile WWW
April 08, 2014, 02:40:23 PM
 #6

Seems limited to the process but very dangerous nonetheless.

http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

Quote
When I heard about it, I figured that 64KB wasn't enough to look for things like secret keys. The heap, on x86 at least, grows up, so I figured that pl would simply read into newly allocated memory, such as bp. Keys and the like would be allocated earlier, so you wouldn't be able to read them. Of course, with modern malloc implementations, this isn't always true.

And further, you won't be able to read the memory of any other process, so those "business critical documents" would need to be in memory of the process, less than 64KB, and be nearby pl.

bob131313
Sr. Member
****
Offline Offline

Activity: 420
Merit: 250


View Profile
April 08, 2014, 03:13:26 PM
 #7

Very real issue if your website is using https with openssl 1.0
The proof of concept leaks keys, cookie data, username/password etc. I would hold off on logging into many of the homegrown exchanges for a few until they address it.
brokedummy
Legendary
*
Offline Offline

Activity: 980
Merit: 1004


View Profile
April 08, 2014, 03:22:22 PM
Last edit: April 08, 2014, 04:46:13 PM by brokedummy
 #8

CGA and YACC will be updated soon, keep an eye out and make sure you update your wallets when the time comes. Most of the pools are now updated.
billotronic
Legendary
*
Offline Offline

Activity: 1610
Merit: 1000


Crackpot Idealist


View Profile
April 08, 2014, 03:45:17 PM
 #9

Seems limited to the process but very dangerous nonetheless.

http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

Quote
When I heard about it, I figured that 64KB wasn't enough to look for things like secret keys. The heap, on x86 at least, grows up, so I figured that pl would simply read into newly allocated memory, such as bp. Keys and the like would be allocated earlier, so you wouldn't be able to read them. Of course, with modern malloc implementations, this isn't always true.

And further, you won't be able to read the memory of any other process, so those "business critical documents" would need to be in memory of the process, less than 64KB, and be nearby pl.

you can say that again! bloody everything runs on openssl ffs.

This post sums up why all this bullshit is a scam
Read It. Hate It. Change the facts that it represents.
https://bitcointalk.org/index.php?topic=1606638.msg16139644#msg16139644
pabloangello
Legendary
*
Offline Offline

Activity: 1344
Merit: 1001


View Profile
April 08, 2014, 05:40:14 PM
 #10

So another exchanges could go down?

Nxtblg
Legendary
*
Offline Offline

Activity: 924
Merit: 1000



View Profile WWW
April 08, 2014, 05:44:21 PM
 #11

http://www.neowin.net/news/openssl-affected-by-heartbleed-zero-day-vulnerability

Quote
A new security flaw affecting OpenSSL, the popular cryptographic protocol used by many websites, has been discovered and is reported to be very serious.

According to the Heartbleed website, the zero-day vulnerability found in OpenSSL affects the stable version 1.0.1 and the 1.0.2 beta version. Older versions of OpenSSL such as 0.9.8 used in Mac OS and iOS and 1.0.0 are not vulnerable to "Heartbleed". Although the vulnerability has been addressed in OpenSSL's version 1.0.1g, it is present in prior versions up to 1.0.1f. Exploiting this flaw, hackers can obtain primary and secondary SSL keys in addition to directly hijacking data being transferred over HTTPS.

Some web companies such as CloudFlare which provides security services for other websites, have used methods recommended by OpenSSL and patched the "Heartbleed" flaw but the methods are not ready for broad deployment according to a report from ZDNet.

Open source firms Red Hat, Debian, SuSE, Canonical, and Oracle are reportedly working hard to patch the OpenSSL vulnerability in their operating systems and are expected to release the patches in 12 hours. Administrators are advised to deploy these patches for operating systems and network equipment as soon as they are made available by manufacturers and software developers.

So.. i opened up my Vertcoin wallet and i see it is vulnerable using 1.0.1'c'
Miners are also often vulnerable many use OpenSSL.
I know i have had to download and install it many times working on miner mods.

So lets see what coins are real and which are fake currency pyramid scheme clones that will not get fixed.
Only real devs will address a security concern ..if they know how lol

Thanks for passing on the info in a straight-to-the-point manner. Much appreciated.






██████████████████████████████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████████▄▄▄███████████████████████
███████████████████████████████████████████████████████████████████████▀▀▀████████████████████████
██████████████████████████████████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████████████████████████████████





...INTRODUCING WAVES........
...ULTIMATE ASSET/CUSTOM TOKEN BLOCKCHAIN PLATFORM...






Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
April 08, 2014, 06:11:32 PM
 #12

http://www.bbc.com/news/technology-26935905

News story. 

I knew shit was getting out that openSSL ought to have protected - it's one of the reasons I ranted about the CA certs in the new bitcoind.

But it looks like the vulnerability was actually below the level of CAs.

AfrikaMan
Member
**
Offline Offline

Activity: 63
Merit: 10


View Profile
April 08, 2014, 07:26:14 PM
 #13

Quark

https://bitcointalk.org/index.php?topic=562008.0
brokedummy
Legendary
*
Offline Offline

Activity: 980
Merit: 1004


View Profile
April 08, 2014, 08:28:53 PM
 #14

As predicted CGA dev has released a new wallet that fixes the heartbleed flaw. As you can see the CGA team is actively working to secure the coin. Please whitelist CGA in regards to your future shitcoin cleaning initiatives.
Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
April 08, 2014, 09:00:14 PM
 #15

But it looks like the vulnerability was actually below the level of CAs.


It appears I wasn't cynical enough.

Correction:  it looks like A vulnerability was below the level of the CAs.
Spoetnik (OP)
Legendary
*
Offline Offline

Activity: 1540
Merit: 1011


FUD Philanthropist™


View Profile
April 08, 2014, 11:38:11 PM
 #16

interesting replies.. i didn't look into it figured people smarter than me on that stuff would ..i hoped anyway lol

nice to see the header news message on the top of the forum though and a fast response from the community already.
we need to do what we can to keep confidence in crypto's we've already had enough bad news last couple months Sad

FUD first & ask questions later™
greentea
Legendary
*
Offline Offline

Activity: 1418
Merit: 1002



View Profile
April 08, 2014, 11:52:21 PM
 #17


Nice, Quark dev already patched the issue ...

NEM   NanoWallet   SuperNodes   Apostille   Landstead   Catapult   Mijin
▃▃▃▅▅▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▅▅▅▃▃▃
Nxtblg
Legendary
*
Offline Offline

Activity: 924
Merit: 1000



View Profile WWW
April 08, 2014, 11:55:11 PM
 #18

interesting replies.. i didn't look into it figured people smarter than me on that stuff would ..i hoped anyway lol

nice to see the header news message on the top of the forum though and a fast response from the community already.
we need to do what we can to keep confidence in crypto's we've already had enough bad news last couple months Sad

Yep, it's the dark days.

But it could be worse. You could be down 80+% on your BTC stake...in other words, it could be December 2011.   Wink Grin 






██████████████████████████████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████████▄▄▄███████████████████████
███████████████████████████████████████████████████████████████████████▀▀▀████████████████████████
██████████████████████████████████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████████████████████████████████





...INTRODUCING WAVES........
...ULTIMATE ASSET/CUSTOM TOKEN BLOCKCHAIN PLATFORM...






pr9me
Sr. Member
****
Offline Offline

Activity: 369
Merit: 250


Cryptsy.com • Got Shitcoins?


View Profile
April 09, 2014, 12:48:08 AM
 #19

shit.

In what way would a bitcoind be vulnerable? Does it use ssl vor transport security?


As far as Bitcoin goes, this vulnerability has already been patched: https://bitcoin.org/en/release/v0.9.1

Spoet, I am curious too as to which alt coins affected will be fixed and how fast that fix happens. Wink
Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
April 09, 2014, 02:51:33 AM
 #20

FWIW, the capabilities of bitcoind which definitely are exposed to this bug are as follows: 


If you have used RPC over the network to talk to bitcoind, your SSL keys have been exposed to a possible attacker who was exploiting this bug at the time.

If you have used the new "Payment protocol" capabilities of the most recent client over the network, your SSL keys have been exposed to a potential attacker exploiting this bug.

As far as I know, those are the only vulnerabilities in the bitcoind versions published prior to today. 

Anyway - it is worthwhile to change all your keys and passwords every so often anyway; this is a kick in the shorts to do it, but we should be doing it occasionally anyway.

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!