Date: Tue, 8 Apr 2014 22:28:24 +0200 From: Yves-Alexis Perez <corsac@...ian.org> To: oss-security@...ts.openwall.com Cc: Jussi Eronen <juhani.eronen@...ora.fi> Subject: Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 On Tue, Apr 08, 2014 at 02:03:46PM -0600, Kurt Seifried wrote: > So to respond/clear up some points: > > It appears Codenomicon and Google found the vulnerability > independently. Google reported it to OpenSSL. Codenomicon reported it > to NCSC-FI, I'm not sure who (Codenomicon or NCSC-FI) drove the > notification of CloudFlare/etc. and they also reported it to OpenSSL > (I don't know if that was before or after notifying OpenSSL). Well, as I put in my tentative timeline, and according to Jussi Eronen (from NCSC-FI, afaict) mail in that thread, NCSC-FI only reported to OpenSSL “a couple of hours before the advisory”, so my understand is that NCSC-FI was not aware of the vulnerability last week. Maybe Codenomicon was, though. Jussi, could you confirm that? > > 1) Mark J. Cox did not give Red Hat any advanced warning, he strongly > separates what he does with OpenSSL with what he does with Red Hat > (this is quite common at Red Hat, for example we have a guy on the > Debian security team, the Samba group, etc.). I for example sometimes > issue private CVE's in advance, but they don't get bugs filed/etc > until they hit a "public" source like distros@ or oss-security@. > > 2) Mark informed Red Hat and as you can see from the public time line > Huzaifa entered a bug into BZ and then notified distros@ about 14 > minutes later, basically at the same time. Red Hat SRT is globally > situated so anyone from distros@ emailing us for details would have > gotten a very prompt response. Ok the “Mark notifies^Winforms Red Hat” line and the “Huzaifa Sidhpurwala opens a bug” could actually be merged, they were more or less at the same time. > > 3) At this point the plan was to embargo this until April 9th (I > forget what time), giving everyone 2+ days to deal with it. So OpenSSL > in conjunction with Red Hat attempted to do a coordinated response > with the community. I'm also unsure why that could not have been done earlier, when OpenSSL was first notified (by Google, supposedly). > > 4) Things blew up. My understanding is that OpenSSL made this public > due to additional reports, I suspect it boiled down to "Group A found > this flaw, reported it, and has a reproducer, and now Group B found > the same thing independently and also has a reproducer. chances are > the bad guys do as well so better to let everyone know the barn door > is open now rather than wait 2 more days" but there may be other > factors I'm not aware. Yeah, maybe the report by NCSC-FI to OpenSSL scared them. I don't know who to contact at OpenSSL and I'm not sure if they read the list. > > 5) Monday morning: everyone is scrambling to get patches out and > update systems. Actually, all times are UTC. I don't know about others, but Debian security team is mostly in western Europe, so it was monday evening/night. > > 6) At least one vendor (CloudFlare) posts a blog entry stating they > were notified a week ago by Codenomicon/NCSC-FI , and claiming that it > was via "responsible disclosure". Other major vendors were not > informed (e.g. Amazon: > http://aws.amazon.com/security/security-bulletins/heartbleed-bug-concern/). I don't think they said they were notified by Codenomicon/NCSC-FI (and that doesn't fit the timeline). > > > 7) At least one vendor (Google) found this independently and, as I > understand it, patched their own systems (which is completely > understandable). Indeed. > > > I don't want to point finger, but I sincerely hope the next time > > something like that happens, coordination will be done early in > > the processus, and relevant vendors will have a chance to prepare > > themselves > > As you can see above, it was attempted, but Murphy's law took over. Sure, thank you for starting that coordination as soon as you were made aware of the vulnerability (and sorry we weren't there monday morning UTC to help you on that). I was more ranting about what happened and did not happened “last week”. Regards, -- Yves-Alexis Perez Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.