Unfortunately our load balancer is vulnerable, too. =(
Frank
-----Original Message-----
From: Chris Ferebee [mailtoHIDDEN@ebee.net]
Sent: Tuesday, April 08, 2014 2:29 PM
To: surgemailHIDDEN@etwinsite.com
Subject: Re: [SurgeMail List] CVE-2014-0160 a. k. a. Heartbleed
It's a doozy all right. There's a nice overview at
<https://maclemon.at/blog/2014/04/07/openssl-heartbeat-cve-2014-0160/>
with links to some sample exploits as python scripts. You can run them (non-destructively) against your SurgeMail server to see what they turn up. I saw a bunch of sensitive information when I tried it earlier today. It is perfectly possible that this can be exploited to divulge your SSL private keys. We will all need to revoke our certificates and order new ones once we're patched. It might be appropriate to issue new mail passwords.
If you can install your certs on your load-balancer and proxy the SSL traffic, yes, that seems like it would help, as long as your load-balancer is not vulnerable.
Best,
Chris
Am 08.04.2014 um 21:00 schrieb Frank Bulk HIDDEN@mypremieronline.com>:
> When I reviewed the issue last night I wasn't overly concerned, thinking this was more MiTM attack, but after reviewing http://heartbleed.com/ more carefully, it seems like they could potentially walk through memory in 64 kilobyte chunks and retrieve other content.
>
> Can we get some new binaries yet today?
>
> Is the temporary mitigation to use SSL from the load-balancer in front of our two Surgemail servers?
>
> Regards,
>
> Frank
>
> -----Original Message-----
> From: Chris Ferebee [mailtoHIDDEN@ebee.net]
> Sent: Tuesday, April 08, 2014 6:46 AM
> To: surgemailHIDDEN@etwinsite.com
> Subject: [SurgeMail List] CVE-2014-0160 a. k. a. Heartbleed
>
> ChrisP, Marijn,
>
> When you have a moment, could you please let us know what the status of SurgeMail is WRT the CVE-2014-0160 a. k. a. Heartbleed SSL exploit?
>
> I have a server running SurgeMail 6.6a on a version of SmartOS (Solaris x64) with OpenSSL 1.0.1e installed, and it is vulnerable as per
>
> <http://filippo.io/Heartbleed/>
>
> and other example exploits. A different server running SurgeMail 6.6a on OS X 10.6.8 (which includes OpenSSL 0.9.8y) is not vulnerable.
>
> However, as far as I can tell, SurgeMail does not dynamically link OpenSSL from the host platform in either case and therefore presumably comes with its own, statically linked version.
>
> Therefore, it appears that we urgently need a fixed version of SurgeMail, e. g. 6.6a, in my case for Solaris x64, presumably also for some of the other platforms. Do you have an ETA for that yet?
>
> Best,
> Chris
>
>
>
>
|
