October 16 2014: SSL 3 poodle vulnerability

Attention:

“It was discovered that OpenSSL incorrectly handled memory when parsing DTLS SRTP extension data. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service.

.. It was discovered that OpenSSL incorrectly handled memory when verifying the integrity of a session ticket. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. (CVE-2014-3567)

In addition, this update introduces support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV). This new feature prevents protocol downgrade attacks when certain applications such as web browsers attempt to reconnect using a lower protocol version for interoperability reasons.”

Notice:

We recommend to all of our affiliates to update their OpenSSL versions immediately and to turn off SSL v3 and use TLS 1.1 and higher. Please note that Payflex system servers have been patched and are no longer accepting SSL v3 connections.

How to test if you have disabled SSL v3?

To check if you have disabled the SSLv3 support, then run (replace “facebook.com” with “yourserver.tld”.)

openssl s_client -connect facebook.com:443 -ssl3

which should produce something like

3073927320:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1258:SSL alert number 40
3073927320:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

meaning SSLv3 is disabled on the server. Otherwise the connection will established successfully.

Alternatively, you can use nmap to scan server for supported version:

# nmap --script ssl-enum-ciphers facebook.com**
Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-15 03:19 PDT
Nmap scan report for facebook.com (173.252.120.6)
Host is up (0.090s latency).
rDNS record for 173.252.120.6: edge-star-shv-12-frc3.facebook.com
Not shown: 997 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| ssl-enum-ciphers: 
|   **SSLv3: No supported ciphers found**
|   TLSv1.0: 

Sept 26 2014: Bash Bug Shellshock vulnerability exposed

Attention to all:
On September 24, 2014. An exploit has been found and publicized about bash (bourne again shell). This shell is implementation is on most linux distributions and unix distributions, as well as Windows cygwin shell program.

Since the notification we have update our gateway with the recommended update. We are not vulnerable to this threat. We recommend to all of our affiliates to update their systems with the latest available patch for this vulnerability.

April 14 2014: HeartBleed OpenSSL vulnerability

Attention: On April 8 2014, OpenSSL libraries have been publicized that a vulnerability exists in certain versions of OpenSSL implementation.

 

Notice: PayFlex Systems is not vulnerable to HeartBleed,  (CVE-2014-0160). Our gateway is not using this implementation version

Notice to our affiliates: It is recommended that SSL certificates be reissued to ensure that your future SSL connections are not prone to man-in-the-middle interception.

For more information please go to:

https://www.us-cert.gov/ncas/alerts/TA14-098A

or

http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0160.html

Sept 10 2014: PHP vulnerability notification

Attention:

It was discovered that PHP did not properly handle certificates with NULLcharacters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.

Notice:

We recommedn our affiliates connecting to us by PHP invoking HTTPS (SSL)  POST requests that they patch their systems accordingly.

For more information about which versions of linux bundles are affected please go to:

http://www.ubuntu.com/usn/usn-1937-1/

or

http://www.rapid7.com/db/vulnerabilities/ubuntu-USN-1937-1