On 04/09/2014 07:40 AM, Stephen Harris wrote:
On Wed, Apr 09, 2014 at 09:36:25AM -0400, James B. Byrne wrote:
However, if one was running an affected service, say httpd/ mod_ssl, on a host that had sftp sessions connected to it then would not the ssh private keys of the host and local users be in memory and therefore readable by the exploit?
[...]
state. As I understand the exploit it allows systematic transfer of every byte in memory which would include the unprotected keys would it not?
I'm pretty sure the exploit can only read the memory of the process and not of the kernel; "apache" shouldn't be able to read the memory space of a root process. If it could then we'd have no key security at all, anyway! This isn't a privilege escalation attack...
According to heartbleed,org, private keys for httpd (or other TLS / SSL services) are readable. Though the 64KB bit of memory obtainable is random, so its not like they can just ask for the private keys or query a database for someone's password, etc. They could only get a random chunk of things active in memory when they make the request. For what its worth, CentOS.org is replacing our certificate private keys. Others can obviously make their own choices.
Thanks, Johnny Hughes