On Tuesday, April 8, 2014, the US-CERT issued CVE-2014-0160 (http://www.us-cert.gov/ncas/alerts/TA14-098A) detailing a very nasty OpenSSL defect that entails a memory leak/bleed via OpenSSL’s heartbeat extension. Dubbed ‘Heartbleed’ because of the nature of the defect, this defect allows extraction of running server memory in 64k chunks and generates no signs of attack when used.
The defect first manifested in OpenSSL version 1.0.1 … and was fixed in OpenSSL version 1.0.1g. Thus, the affected versions are:
[ul]
[li]1.0.1[/li][li]1.0.1a[/li][li]1.0.1b[/li][li]1.0.1c[/li][li]1.0.1d[/li][li]1.0.1e[/li][li]1.0.1f[/li][/ul]
Online tools exist to test sites for this defect, and trainhornforums.com is vulnerable – meaning the username/password pairs for all users of this site are potentially at risk, as is the site, itself.
Here are two such tools:
- https://www.ssllabs.com/ssltest/analyze.html?d=trainhornforums.com
- http://filippo.io/Heartbleed/#trainhornforums.com
The site will need to be upgraded ASAP in order to protect the site and user base. This may need to be a forum software update … or an OpenSSL update on the underlying system – it depends on the implementation. (I’m not an application guy, I live/work in the security space, so I can’t be more granular/specific.)
I’m not trying to be alarmist – I’m just trying to make sure this is addressed rapidly, as this is a nasty, nasty bug. I quietly sent a message to the site administrator, yesterday, but received no reply.
Silence in security situations is generally bad, so now I’m posting publicly … so that every user of this site who takes time to read this post is aware that each day that passes without an update to this site … puts his/her credentials at risk. This is important because many users utilize the same username/password pairs across multiple sites, meaning a single vulnerable site can lead to a major problem for the typical end user if it is compromised.
I’d like to know the ETA for the fix here on trainhornforums.com.
Please advise.