[CentOS] [CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround

Thu Apr 10 12:47:22 UTC 2014
Johnny Hughes <johnny at centos.org>

On 04/10/2014 05:17 AM, David Hrbáč wrote:
> Dne 9.4.2014 17:27, Johnny Hughes napsal(a):
>> It is only things that actually used SSL in memory (like httpd, imaps,
>> pop3s, etc) . those certificates COULD have been impacted. openssh was
>> not impacted (based on my reading).
> What about the user credentials sent over this "insecure" communication
> channel. They could be also compromised...
> DH
Anything in the actual memory of the process can be retrieved in random
64KB chunks, when/if someone uses an exploit against your server on the
https or one of the other ports (imaps, pop3s, etc).

The exploiter does not get to choose the memory check they get (it is
random), so they would need to run the exploit, in a loop, dump the
data, and grab the info in chunks. Then they would need to string the
data together or grab pieces out of the data.

So, yes, older transactions on that process could be seen. So some user
names, passwords, credit card numbers, any other traffic someone posted
on a connection to the machine could be read in the data that was dumped
and saved, including the server's private key as that key is used to
decrypt the connection.

That is one part of the exploit ... gleaning info from a service that is
running in real time.

If you are patched now, and if you restarted all services that were
running the old version of ssl, then that can no longer be done to your
machine. It could have been done as long as someone was exploiting the
port in question from the time any from the installation of the 6.5
openssl's were installed until at least version
openssl-1.0.1e-16.el6_5.4.0.1.centos.el6 (or openssl-1.0.1e-16.el6_5.7)
was installed ... AND all applicable services were restarted.

All of the chunks of up to 64KB that someone gathered, they can look
back through.

==============================

Another potential thing that someone who had access to your network
traffic could have done was dump/save that IP traffic, regardless of if
it was encrypted or not.

They could then use, if they obtained it, the private key for an https
server you connected to (one of the things they could have gotten while
a server was vulnerable). If someone did get a private key and if they
did save encrypted traffic that was on going, then they could at that
point decrypt the traffic that they have.

Those are the two possible things that could have happened.

=============================

In the case of CentOS servers, the time period where that could have
occurred is from December 1, 2013 (when openssl-1.0.1e-15.el6 was
released in CentOS-6.5) until people using 6.5 upgrade to
openssl-1.0.1e-16.el6_5.7 (available on April 8th, 2014). In the case of
some other distributions, the possible time frame is from March 2012
until April 2014.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20140410/f083afed/attachment-0005.sig>