Wondering if a vendor product might be vulnerable to existing (fixed)bugs, despite showing current version number - Openssl

This is a discussion on Wondering if a vendor product might be vulnerable to existing (fixed)bugs, despite showing current version number - Openssl ; Hi, I'm a student and I've been doing some security testing of a VPN from a rather large vendor as part of a school project. During my mapping of the VPN, I discovered the version of OpenSSL that they are ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Wondering if a vendor product might be vulnerable to existing (fixed)bugs, despite showing current version number

  1. Wondering if a vendor product might be vulnerable to existing (fixed)bugs, despite showing current version number

    Hi, I'm a student and I've been doing some security testing of a VPN
    from a rather large vendor as part of a school project. During my
    mapping of the VPN, I discovered the version of OpenSSL that they are
    distributing is "0.9.8h-fips-dev 19 mar 2008" As I understand it, that
    makes this a development branch, I presume compiled on March 19, 2008
    (please correct me if I am wrong!)

    I am wondering how I could determine, with only access to the compiled
    binary, if this version has any missing security fixes (much of the
    company's product is Debian based, however I already did check and the
    keys it generates do not appear on the blacklists of known bad keys, so
    I believe OpenSSL is a direct compile rather then a Debian download) I
    know there were security announcements after that date, and that 0.9.8h
    was not officially released until late May, hence my concern.

    Thanks in advance for any input!
    Sam Lavitt


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: Wondering if a vendor product might be vulnerable to existing(fixed) bugs, despite showing current version number

    Samuel Lavitt wrote:

    > I am wondering how I could determine, with only access to the compiled
    > binary, if this version has any missing security fixes


    The "worst" vulnerabilities (and your time might be valuable, so prioritization
    might be important) have published exploits available.

    Black hat black box testing, IOW.

    My profession prevents me from directly pointing you to such tools, but
    a modest amount of effort can lead you to them.

    Don't put too much faith in version strings.

    - M
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread