Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Auditing systems for vulnerable 3rd-party OpenSSL

From: Dotzero <dotzero () gmail com>
Date: Tue, 15 Apr 2014 14:33:57 -0400
On Tue, Apr 15, 2014 at 1:53 PM, Gabriel Brezi <gb () hydrau lc> wrote:

I'm advising a client on auditing his systems for vulnerable OpenSSL
libs which may be included by 3rd-parties. Does anyone know of some
relatively simple tools that I can leverage to figure out what
applications were bundled with out of date libs? Most of the focus will
be Linux and OSX systems.



If they were bundled with out of date libs then they were most likely
on 0.9.8(probably e) and not vulnerable. I'm just saying. It's folks
who were more current that were more likely to be vulnerable to this
particular issue. I can't say much about OSX but what I've seen in
checking is that many apps are simply using whatever OpenSSL is on the
OS.

In thinking about auditiing for this, don't forget infrastructure
(firewalls, VPNs - specifically SSL based ones, things such as IP
based security cameras that are managed over SSL (hooray, embedded
devices devices firmware upgrades - wonder how long it will take for
vendor upgrades to be available). Also don't forget 3rd party managed
services (think both the implementation AND the customer portal).
Seeing as this sort of auditing requires thinking about...well...
everything, it's a good time to be collecting/validating/updating info
on what all you have in your environment.



I'll cover as much as I can by automating ldd, nm, JAR unpackers and
UPX. I'll have to contact developers directly if I find evidence of
obfuscation tools. Can someone add to this list of concerns or weigh in
on any existing tools that can automate part of this process?



I don't know OSX so well so extra advice for this platform is helpful.

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: