Also remember to actually try the exploit, even if you think your 0.9.8 installation isn't vulnerable. We found several devices which were running a safe version in the audit paperwork, but actually running a vulnerable version in practice.
-Paul On Wed, Apr 16, 2014 at 6:03 PM, Ron Bowes <r...@skullsecurity.net> wrote: > Are there actually any real-world attack scenarios for BEAST, CRIME, or > Lucky-thirteen? > > Heartbleed has been used in actual legitimate attacks, but those earlier > attacks all seem pretty tame in comparison. Worth fixing, of course, but > they don't seem *as* critical to me. > > Ron > > > On Wed, Apr 16, 2014 at 3:10 AM, Shawn <cit...@gmail.com> wrote: > >> After an exciting and crazy week. People are getting calm and plan or >> already start to doing audit on their system. But there are something >> you might miss. The older version of OpenSSL( like 0.9.8) might not >> affected by heartbleed issue but it doesn't mean you are secure. Don't >> forget the old OpenSSL are still vulnerable to BEAST( 2011), CRIME( >> 2012), Lucky-thirteen( 2013)[1]. I do believe Lucky-thirteen is far >> more dangerous than heartbleed, we just don't know. Once you start the >> audit, plz upgrade the OpenSSL to the latest version. If you are using >> 0.9.8, plz upgrade to 0.9.8y, which is not vulnerable to Lucky-13 >> issue. >> >> Fix heartbleed issue for website is much easier than the networking >> devices( Firewall, UTM, SSL/IPSEC VPN, etc) and the 3rd-party >> software. This definitely gonna impacting for long term. >> >> >> [1] http://www.isg.rhul.ac.uk/tls/ >> >> -- >> GNU powered it... >> GPL protect it... >> God blessing it... >> >> regards >> Shawn >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> http://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ >> > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
