Millions of Devices Are Vulnerable to a Critical OpenSSL Bug

preview_player
Показать описание
In this video I discuss the forthcoming OpenSSL 3.0.7 release which is supposed to include patches for a critical security vulnerability, the worst one in the OpenSSL library since Heartbleed. I also discuss some ways you could mitigate the vulnerability in the meantime.

₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿

Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436

Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV

Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079

Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF

Dash
Xh9PXPEy5RoLJgFDGYCDjrbXdjshMaYerz

Zcash
t1aWtU5SBpxuUWBSwDKy4gTkT2T1ZwtFvrr

Chainlink
0x0f7f21D267d2C9dbae17fd8c20012eFEA3678F14

Bitcoin Cash
qz2st00dtu9e79zrq5wshsgaxsjw299n7c69th8ryp

Etherum Classic
0xeA641e59913960f578ad39A6B4d02051A5556BfC

USD Coin
0x0B045f743A693b225630862a3464B52fefE79FdB

and be sure to click that notification bell so you know when new videos are released.
  1. Mental Outlaw
  2. Mental Outlaw
  3. mental
  4. outlaw
  5. cybersecurity
  6. heartbleed
Рекомендации по теме
Millions of Devices 0:12:05

Millions of Devices Are Vulnerable to a Critical OpenSSL Bug

MILLIONS of devices 0:09:34

MILLIONS of devices are VULNERABLE!

Log4j Vulnerability Could 0:09:34

Log4j Vulnerability Could Give Hackers Control Over Millions of Devices

Millions of Devices 0:15:15

Millions of Devices at Risk: Hackers Target Vulnerable Modems

Millions of Dell 0:02:51

Millions of Dell Devices at Risk Due to Driver Vulnerability

Achilles Makes Millions 0:06:09

Achilles Makes Millions of Android Phones Vulnerable

Millions of Smart 0:10:41

Millions of Smart Phones Are Vulnerable to Remote Attacks

Vulnerable IoT Devices 0:08:26

Vulnerable IoT Devices Put Millions at Risk| AT&T ThreatTraq

Subtitle Hack: 200 0:00:20

Subtitle Hack: 200 Million Devices Are Vulnerable

Millions of Routers 0:02:13

Millions of Routers Vulnerable and You Won't Even Know

This Vulnerability Affects 0:04:09

This Vulnerability Affects 14 Million Devices...

Hacking the Supply 0:40:11

Hacking the Supply Chain – The Ripple20 Vulnerabilities Haunt Tens of Millions of Critical Devices

Uncovering “BadAlloc” Memory 0:31:58

Uncovering “BadAlloc” Memory Vulnerabilities in Millions of IoT Devices

Research Millions of 0:03:01

Research Millions of smart devices vulnerable to hacking

Cybersecurity Expert Demonstrates 0:03:27

Cybersecurity Expert Demonstrates How Hackers Easily Gain Access To Sensitive Information

Watch these hackers 0:05:42

Watch these hackers crack an ATM in seconds

Critical Firmware Vulnerability 0:01:00

Critical Firmware Vulnerability in Gigabyte Systems Exposes Millions of Devices

Google Pixel Devices 0:00:56

Google Pixel Devices Shipped with Vulnerable App, Leaving Millions at Risk

Log4j Vulnerability Could 0:00:37

Log4j Vulnerability Could Give Hackers Control Over Millions of Devices #Shorts

Lenovo UEFI Firmware 0:01:25

Lenovo UEFI Firmware Vulnerabilities Affect Millions of Laptops🤯

New security vulnerability 0:02:44

New security vulnerability puts 900 million Android devices at risk, researchers warn

NetUSB Vulnerability Leads 0:05:44

NetUSB Vulnerability Leads to RCE in Millions of Routers

Twitter vulnerability exposes 0:00:28

Twitter vulnerability exposes 17 million users’ phone numbers

IoT Security Vulnerabilities: 0:11:15

IoT Security Vulnerabilities: Quick fixes and realistic discussion about smart home security

Комментарии
Автор

And a year from now, there will still be critical infrastructure running old versions that has this bug.

midimusicforever
Автор

This is the magic of open source:
something is bad, fix it yourself

msddvisage
Автор

Heartbleed was a buffer overread, not an overflow, overflows usually enable RCE/writing to memory.

itsmeowdev
Автор

Heart bleed explanation was well done. As a SWE with knowledge of most CVE, I still learned something from the video!

isaiahsmith
Автор

I was working for a router company when Heartbleed came out. The amount of phone calls from customers were through the roof at that point. We had to get a new firmware version asap from the company, or they would've lost tons of business.

HoshiFanatic
Автор

Thank you for raising awareness about this vulnerability! This is just another vulnerability that I would have completely missed if it wasn't for this channel.

Silentstrike_
Автор

You know it's a big deal when the Fedora team actually delayed the release of F37 just to wait for this patch.

ricky
Автор

This reminds me of a warning that one of my programming instructors gave me about C++ arrays.
If you declare an array of a specific size, you must make sure there are no instructions in the program that allow you to override or request data beyond that size.
Should you do so, you create a huge vulnerability from the overflow. I'm guessing it's something like that? I'm not an expert on servers.

dreamhollow
Автор

I would not agree with your recommendation to downgrade to OpenSSL 1.1.1q. Even if that fixes the high-class vulnerability--this should obviously make you vulnerable to an array of several more low and middle-class vulnerabilities. Switch to LibreSSL if possible or patch the vulnerability.

fosres
Автор

Is OpenSSL maintained by the NSA or the CIA? 🤔

disband_thebbc
Автор

I truly think we should start defining those people that "are so good at breaking down complex topics into a short and understandable concept to anyone" as "an xkcd"
Seriously Randall's so good at this

washinours
Автор

FIPS validation is for specific versions of the cryptographic module. For OpenSSL, that version is 3.0.0. The database of FIPS validated modules is publicly accessible if you want to check. The validation does not apply to all of 3.X or even 3.0.X. So, if a government organization or gov contractor were to patch for this vulnerability, they would be out of compliance with the stated regulations because the patched version is not FIPS validation. And, of course, there are only a few labs in the US that can perform the FIPS validation, and the waitlist is very long. So, as usual, the government shoots itself in the foot with stupid regulations.

pupfriend
Автор

I'm starting to see why Rust is getting popular these days. So many vulnerabilities from memory safety.

TheJjjet
Автор

Security vul are actually really hard to pull off. Md5 took about 300 PlayStations to pull off with a very specific and coordinated attack, and it’s only ever been done in a lab situation. Sha1 was broken with a chosen prefix attack, which is EXTREMELY difficult to pull off.

hsharma
Автор

Excuse me?
As a fullstack web developer hearing that OpenSSL doesn't peoperly verify the length of the message is just... How did that even get to production? That's one of the simplest things you need to check while doing any communication with untrusted computers. First thing you do in such cases is limit message length and limit acceptable characters/bytes - depending if you're working with raw data or just text.

shapelessed
Автор

I have systems that are 140-2 (FIPS) and need 3.x. Thanks for heads up. I may give notice of system down and keep them offline tell update

drrenard
Автор

I thought this new CVE is only effects x.509 certs (digital signatures) which should only be used for email? I have updated that certs on exchange implementations with no downtime (Newer exchange versions is all done in EAC with like 2 or 3 clicks. Now if its used for the DKIMit might be a little harder to fix.

davidd
Автор

I wish news companies put it out like that comic before.
Really explained it well.
I hate how obfuscated the documentation can be sometimes for software lol.

honkhonk
Автор

Look at you, big man! You got a shoutout from Fireship on YT on your Metaverse vid.

aurele
Автор

Funny thing: I'm on MacOS Ventura and I have LibreSSL by default instead of OpenSSL. /usr/bin/openssl is LibreSSL 3.3.6.

localboxcrox