هکرها ادعا کردند که یک آسیبپذیری جدید در نسخه اصلاح شده OpenSSL وجود دارد.آن ها مدعی شدهاند که یک خطایی را در مدیریت متغیر "DOPENSSL_NO_HEARTBEATS" کشف کردند. محققان امنیتی اظهار داشتند که نسبت به صحت این ادعا مشکوک هستند.
یک گروه پنج نفری از هکرها در یک یادداشتی در Pastebin نوشتند: دو هفته برای یافتن این آسیبپذیری و نوشتن کد سوء استفاده آن وقت صرف کردند. حفره جدید موجود در OpenSSL میتواند مانند حفره HeartBleed سیستم ها را تحت تاثیر قرار دهد.کتابخانه منبع باز OpenSSL توسط میلیونها وب سایت برای برقراری ارتباطات امن بین رایانه سرور و کلاینت مورد استفاده قرار می گیرد.
مقاله مرتبط : |
اوایل ماه آوریل حفرهای در OpenSSL با نام HeartBleed (خونریزی قلبی ) افشا شد که میتوانست برای افشای اعبتارنامههای ورودی یا سرقت کلید خصوصی SSL سرور مورد سوء استفاده قرار بگیرد. حدود دو سوم از وب سایتهایی که تحت تاثیر این رخنه قرار گرفتند، کتابخانهOpenSSL را اصلاح کردند.
هکرها اظهار داشتندکه یک آسیب پذیری سرریز بافر را پیدا کردند که شبیه HeartBleed است. آن ها مدعی شدهاند که یک خطایی را در مدیریت متغیر "DOPENSSL_NO_HEARTBEATS" کشف کردند.این هکرها تاکنون کد سوء استفاده خودشان را منتشر نکرده اند بنابراین راهی برای بررسی صحت ادعای آن ها وجود ندارد. این گروه برای پاسخ گویی به سوالات، آدرس پست الکترونیکی را اعلام کردند اما پاسخی به پست های ارسالی داده نشده است.
منبع : softpedia
Hackers Claim to Have Found New OpenSSL Flaw Similar to Heartbleed
A group of hackers claims to have identified a new vulnerability in the latest version of OpenSSL. They say they’ve found a security hole that’s similar to the now infamous Heartbleed bug in OpenSSL 1.0.1g, but experts are questioning their claims.
“We have just found an vulnerability in the patched version OpenSSL. A missing bounds check in the handling of the variable DOPENSSL_NO_HEARTBEATS. We could successfully Overflow the DOPENSSL_NO_HEARTBEATS and retrieve 64kb chunks of data again on the updated version,” the hackers wrote on Pastebin.
They haven’t made the exploit, which is allegedly written in Python, public. The hackers are confident that they can leverage the vulnerability for their own gain for a long time before it gets patched.
On the other hand, they’re also willing to sell it for 2.5 Bitcoins ($1,069 / €780) or 100 Litecoins ($973 / €725).
Not much is known about the group that’s advertising the exploit. Their contact email address is BitWasp@safemail.net.
“We are team of five people, and we have coded nonstop for 14 days to see if we could find a workaround, and we did it! We have no reason to make it public when the vendors will go for a update again,” they noted.
The only proof they’ve made available is a screenshot which shows what appears to be a response from a server. However, that doesn’t prove much and security experts are skeptical about the hackers’ claims.
“They say: ‘A missing bounds check in the handling of the variable DOPENSSL_NO_HEARTBEATS’. That's not a variable, the ‘D’ is not actually part of the name, and it's a compile-time macro that configures whether heartbeats will be compiled in or not,” noted security expert and programmer Jann Horn on the Full Disclosure mailing list.
“And because it's a compile-time thing, it's nothing that an attacker could ever influence,” Hord added.
Some believe that this is simply a money-making scam. The BitWasp@safemail.net was used in the past by a group that offered to sell user information and source code from Mt. Gox and CryptoAve.
In addition to posting their claims on Pastebin, the hackers are also advertising the exploit on a couple of Chinese forums. Chinese experts also appear to be skeptical. Similar to Horn, some of them highlight the fact that the DOPENSSL_NO_HEARTBEATS variable doesn’t exist.
The Heartbleed bug, which is said to have impacted a large number of websites, has been patched by most companies. To make sure we don’t see another similar vulnerability any time soon, some of the world’s largest tech companies have announced their support for a Linux Foundation project called the Core Infrastructure Initiative.