openSSL heartbleed vulnerability - test with eapol_test?

sven falempin sven.falempin
Tue Apr 8 13:40:07 PDT 2014


On Tue, Apr 8, 2014 at 4:23 PM, Jouni Malinen <j at w1.fi> wrote:

> On Tue, Apr 08, 2014 at 05:51:08PM +0300, Jouni Malinen wrote:
> > A quick update on this.. I do have such a tool now, but I'm not planning
> > on making it public today or for couple of days to give some more time
> > for server side updates should any EAP server be vulnerable (it is way
> > too easy to convert that tool to an attack tool over wireless..).
> >
> > Anyway, it looks like misuse of OpenSSL APIs prevents most attack
> > options for this case, so this may be somewhat less critical for EAP
> > servers compared to other uses of TLS. I tested with couple RADIUS
> > authentication servers and could not trigger the issue due to reasons
> > that I confirmed to be because of incorrect OpenSSL API use..  (For
> > completeness, I did fix one such case to verify that the test tool works
> > and to confirm that this was indeed "safer" due to incorrect API use.).
>
> OK, that was a bit too optimistic. I found couple of cases where this
> vulnerability can be triggered over EAP, so no public availability for
> the test tool for now. Feel free to contact me privately if you have a
> justifiable use for such a test tool. I'll probably push it to
> eapol_test later once there has been some more time to get
> authentication servers updated.
>
> --
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>


Almost everything as to be patch , it is a mess.
I used a hostapd with a static openssl , hopeully radius is elsewhere
if i am thorough i should regenerate all certificate of clients because
this machine hosted
an https website

:'(

-- 
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140408/7d6a5285/attachment.htm>



More information about the Hostap mailing list