On Tue, Apr 15, 2014 at 1:53 PM, Gabriel Brezi <g...@hydrau.lc> wrote: > I'm advising a client on auditing his systems for vulnerable OpenSSL > libs which may be included by 3rd-parties. Does anyone know of some > relatively simple tools that I can leverage to figure out what > applications were bundled with out of date libs? Most of the focus will > be Linux and OSX systems. >
If they were bundled with out of date libs then they were most likely on 0.9.8(probably e) and not vulnerable. I'm just saying. It's folks who were more current that were more likely to be vulnerable to this particular issue. I can't say much about OSX but what I've seen in checking is that many apps are simply using whatever OpenSSL is on the OS. In thinking about auditiing for this, don't forget infrastructure (firewalls, VPNs - specifically SSL based ones, things such as IP based security cameras that are managed over SSL (hooray, embedded devices devices firmware upgrades - wonder how long it will take for vendor upgrades to be available). Also don't forget 3rd party managed services (think both the implementation AND the customer portal). Seeing as this sort of auditing requires thinking about...well... everything, it's a good time to be collecting/validating/updating info on what all you have in your environment. > > > I'll cover as much as I can by automating ldd, nm, JAR unpackers and > UPX. I'll have to contact developers directly if I find evidence of > obfuscation tools. Can someone add to this list of concerns or weigh in > on any existing tools that can automate part of this process? > > > > I don't know OSX so well so extra advice for this platform is helpful. > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
