[Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)

Eli Billauer eli at billauer.co.il
Fri Apr 11 08:35:00 IDT 2014


Hi all,

I suppose that the security freaks already know about this, and still, 
this seems important enough for an alert.

In a nutshell, a bug in the mechanism that allows keepalive messages to 
be sent to maintain an SSL link, also allows, accidentally, a remote 
attacker to read a segment of up to 64 kBytes from the server's memory. 
It's doesn't give access to any chunk of 64 kBytes, but it's a segment 
which is likely to be dirty with data that belongs to the process 
running openSSL. So there's a chance that data related to private keys 
and passwords is revealed this way.

See http://en.wikipedia.org/wiki/Heartbleed

I haven't found any tool checking a local SSH server, say as source code 
in C. I suppose it's being avoided for the sake of not supplying the 
almost-finished attack to script kiddies.

Hag Sameah,

    Eli

-- 
Web: http://www.billauer.co.il



More information about the Haifux mailing list