Patch All The Things! New "Cupid" Technique Exploits Heartbleed Bug (PCMagazine) [LWN.net]

Cupid is an exploit for the Heartbleed bug in OpenSSL that can target both servers and endpoints running Linux and Android, reports PCMagazine. "Luis Grangeia, a researcher at SysValue, created a proof-of-concept code library that he calls "Cupid." Cupid consists of two patches to existing Linux code libraries. One allows an "evil server" to exploit Heartbleed on vulnerable Linux and Android clients, while the other allows an "evil client" to attack Linux servers. Grangeia has made the source code freely available, in hopes that other researchers will join in to learn more about just what kind of attacks are possible."

to post comments

Patch All The Things! New "Cupid" Technique Exploits Heartbleed Bug (PCMagazine)

Posted Jun 4, 2014 19:46 UTC (Wed) by roblucid (guest, #48964) [Link] (3 responses)

I found by breaking dependencies and temporarily uninstalling libgnutls, I could find out what's got it open, so will need restarting when the updates are available.

David Straus's blog report, explains how they reacted effectively to Heartbleed and has some useful code snippets, for determing impact and auto restarting systemd services : https://www.getpantheon.com/heartbleed-fix

My sample, it's only the desktop and mozilla, so nothing that restarting X won't fix.

Patch All The Things! New "Cupid" Technique Exploits Heartbleed Bug (PCMagazine)

Posted Jun 4, 2014 19:50 UTC (Wed) by roblucid (guest, #48964) [Link] (2 responses)

Should have said, I'm fooling about on gnutls cos' that's todays new scare.
Cupid is Heartbleed exploit, not gnutls related.

Wish there was an edit button :)

Patch All The Things! New "Cupid" Technique Exploits Heartbleed Bug (PCMagazine)

Posted Jun 5, 2014 2:28 UTC (Thu) by pabs (subscriber, #43278) [Link] (1 responses)

How many copies of gnutls did you have to update?

Patch All The Things! New "Cupid" Technique Exploits Heartbleed Bug (PCMagazine)

Posted Jun 6, 2014 10:53 UTC (Fri) by roblucid (guest, #48964) [Link]

This is what was replaced, AFAIK I'm not running anything tasteless enough to statically link it in (least on Linux, on Windows the story could be worse).

Distribution: openSUSE 13.1
/usr/lib64/libgnutls-xssl.so.0.0.0
/usr/lib64/libgnutls.so.28.25.0

# services holding libgnutls open
for s in xdm dbus; do systemctl restart $s; done

Actually I got lucky, the latest OpenSSL fixes are available, which added wpa_supplicant.service and sshd to the restart list.

Alot of trouble, for a feature I don't knowingly use, some kind of dynamic on-demand loading based system bit like kernel modules, which allowed disabling insecure (or unused) features, would be a nice mitigation. The problem is breaking the "just works" paradigm, though I guess white & black lists where security fixes are pending might not be too awful.

Patch All The Things! New "Cupid" Technique Exploits Heartbleed Bug (PCMagazine)

Posted Jun 4, 2014 21:28 UTC (Wed) by nix (subscriber, #2304) [Link]

This just goes to show, we should all upgrade our Heartbleed-vulnerable systems! Shame about the ones that have vulnerable OpenSSLs but will never receive updates, like many Android 4.1 devices, or the ones that have vulnerable OpenSSLs in ROM and we might not even *know* about it.

Patch All The Things! New "Cupid" Technique Exploits Heartbleed Bug (PCMagazine)

Posted Jun 5, 2014 8:54 UTC (Thu) by Gladrim (subscriber, #45751) [Link]

I can't see a LICENSE file or any reference to one in the code. If Luis wants researchers to help, that would be a useful addition.