[Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)

Tzafrir Cohen tzafrir at cohens.org.il
Fri Apr 11 15:43:02 IDT 2014


On Fri, Apr 11, 2014 at 08:35:00AM +0300, Eli Billauer wrote:
> Hi all,
> 
> I suppose that the security freaks already know about this, and still, 
> this seems important enough for an alert.
> 
> In a nutshell, a bug in the mechanism that allows keepalive messages to 
> be sent to maintain an SSL link, also allows, accidentally, a remote 
> attacker to read a segment of up to 64 kBytes from the server's memory. 
> It's doesn't give access to any chunk of 64 kBytes, but it's a segment 
> which is likely to be dirty with data that belongs to the process 
> running openSSL. So there's a chance that data related to private keys 
> and passwords is revealed this way.
> 
> See http://en.wikipedia.org/wiki/Heartbleed
> 
> I haven't found any tool checking a local SSH server, say as source code 
> in C. I suppose it's being avoided for the sake of not supplying the 
> almost-finished attack to script kiddies.

SSH is safe from this - it does not use this mechanism. Its protocol is
different.Likewise is GPG is safe from this bug as it is built with
GnuTLS.

-- 
Tzafrir Cohen         | tzafrir at jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir at cohens.org.il |                    |  best
tzafrir at debian.org    |                    | friend


More information about the Haifux mailing list